Understanding ASV Scans: A Comprehensive Guide for SAQ A Merchants Under PCI DSS v4.0

What is an ASV Scan?

Short for Approved Scanning Vendor scan, an ASV scan is a type of security assessment that looks for vulnerabilities on your website. It is conducted by a PCI Security Standards Council (PCI SSC)- Approved Scanning Vendor (such as Stratica).

ASV scans are designed to identify weaknesses or sometimes referred to as vulnerabilities in an organisation’s public-facing systems (such as its website or user portal) that cybercriminals could exploit to access customers’ cardholder data.

Unlike internal vulnerability scans, which happen inside the organisation’s systems, ASV scans are performed from the outside, from the perspective of a cyber criminal. In performing a vulnerability scan this way, security assessors can mimic the approach cybercriminals might take to gain access to cardholder data. ASV scans also make use of automated scanning software.

The Purpose of ASV Scans: Why are ASV Scans essential? 

ASV scans identify weaknesses (and potential entry points for cyber criminals) in an organisation’s systems and help it understand what to address to ensure and maintain the security of payment processing environments.

Because of their importance in securing organisations’ customer data, passing regular ASV Scans is a requirement for PCI Compliance.

Who needs an ASV Scan?

All organisations that accept payment cards must perform ASV Scans to comply with Payment Card Industry Data Security Standards (PCI DSS). 

Before PCI DSS v4.0, Type A merchants (the merchant category with the lowest data breach risk) were not required to undertake ASV Scans to achieve PCI compliance. 

Why do Type A Merchants now Require an ASV Scan?

PCI DSS v4.0 reflects a rapidly evolving security landscape and the continual increase in online payments. Type A merchants outsource all payment data to a third-party payments provider, lowering the risk of a data breach compromising payment card data. However, outsourcing payments doesn’t completely shield them.

The expanded security requirements for Type A merchants reflect identified vulnerabilities that cyber criminals increasingly target. Malicious actors may target a merchant’s systems by exploiting weaknesses in redirect links, the bridge between card data input during payment and the third-party data storage environment.  

The relative lack of security in Type A merchants’ systems makes them an easier target for cyber criminals. An ASV scan adds an additional layer of security that closes cyber criminals’ window of opportunity and takes the easy target off Type A merchants’ backs.

The new ASV scan requirements specifically apply to e-commerce merchants who:

• Host webpages that redirect payment transactions to a PCI DSS-compliant third-party service provider (TPSP)

• Include embedded payment pages or forms from a PCI DSS-compliant TPSP.

Scanning Frequency: How Often Does My Organisation Need an ASV Scan? 

You must conduct an ASV Scan quarterly (every 90 days). 

PCI DSS Requirement 11.3.2 mandates external vulnerability scans on your network environment at least once every three months.

If you make significant changes to your network, such as installing a new server or upgrading software or systems that handle cardholder data, you must conduct an ASV Scan – even if it has been less than 90 days since your last one. 

Should your organisation not pass an ASV Scan, you must continue scanning (after addressing the identified vulnerabilities) until you achieve a pass.

What Gets Scanned in an ASV Scan?

ASV scans focus on:

• External-facing IP addresses
• Domains associated with your e-commerce environment
• Systems that could impact the security of payment transactions
• Web applications that facilitate payment processing

Common Vulnerabilities that ASV Scans detect

Several common e-commerce vulnerabilities that ASV scans typically detect:

• Infrastructure-layer vulnerabilities such as outdated or unpatched servers and weak firewall rules. 
• Application-level security issues, such as weak authentication measures and opportunities to inject malicious code into payment pages. 
• Configuration weaknesses such as unencrypted data or error messages with information a cybercriminal can exploit.
• Outdated software components. According to Gutsy, 60% of cyber attacks result from known vulnerabilities in outdated software being exploited.  

What happens if I don’t have, or I don’t pass, an ASV scan?

You will not be PCI compliant if you do not pass an ASV scan when required (every 90 days). Non-compliance comes with the inherent security risks that make PCI compliance essential in today’s environment. With increasing knowledge around the impact of a poor cyber security posture, non-compliance may lead to increased scrutiny from your customers, partners and financial institutions.

ASV Scan Best Practices: What to do Before and After Each ASV Scan

 

Before your ASV Scan:

To ensure the successful implementation of ASV scanning, your organisation should:

• Choose a Qualified ASV from the PCI SSC’s list of Approved Scanning Vendors, such as through Stratica. 
• Ensure the vendor understands your specific e-commerce environment. Through a comprehensive security review, Stratica gains a complete understanding of our clients’ e-commerce environments, enabling us to provide tailored advice that meets each organisation’s unique needs. 

When preparing for Scanning:

• Document all external-facing IP addresses and domains.
• Identify all components that process or impact payment security.
• Plan scans during lower-traffic periods.

 

After your ASV Scan:

After an ASV Scan, your organisation must:

• Address the findings. 
• Promptly remediate identified vulnerabilities.
• Maintain documentation of all remediation efforts.
• Schedule follow-up scans to verify fixes.

For compliance validation, your organisation must maintain evidence of passing ASV scans.

Don’t forget to save a copy of each scan.

What should I do if my organisation doesn’t pass an ASV Scan?

In the event of a scan failure, your organisation should:

• Document all false positives. 
• Work with your ASV to understand and address legitimate findings. 
• Implement a systematic approach to vulnerability remediation.

Timeline and Compliance

If you accept payment cards, you should begin incorporating ASV Scans into your cybersecurity practices immediately—if you haven’t already. Ensure quarterly scanning is in place from and preferably before 31 March, 2025.

Maximise the efficiency of your ASV Scans

There’s no getting around the need for an ASV Scan, so your organisation will need to allocate resources to them. That’s why it’s important you optimise your ASV Scanning process. 

To maximise the value of your investment in ASV Scans, you should: 

• Consider automated scanning solutions
• Develop a clear remediation workflow
• Prioritise vulnerabilities based on risk level conclusion

The addition of ASV scan requirements to SAQ A represents a significant step in protecting e-commerce environments from evolving cyber security threats. While this new requirement may seem daunting, it’s crucial to preventing security breaches and protecting payment data.

Regular vulnerability scanning is not just about compliance—it’s about maintaining a robust security posture that protects your business and your customers’ sensitive payment information.

Remember, the goal is not just to check a compliance box. It’s to establish a strong security foundation that helps prevent breaches and protects your e-commerce environment. 

 

Start preparing now if not yesterday 😉 to ensure you’re ready to meet these requirements by the 31 March 2025 deadline.

 

Stratica can ensure you remain PCI compliant by assisting your organisation with its ASV scan requirements.

Contact Stratica to book a complimentary security review including an ASV scan.