Approved Scanning Vendor (ASV)

As an ASV, you’ll join an elite group of businesses that have been qualified by the PCI Security Standards Council (PCI SSC) to conduct point-of-sale (POS) scanning and vulnerability assessments.

What is an Approved Scanning Vendor (ASV)?

An Approved Scanning Vendor, or ASV, is someone that is approved by the PCI Security Standards Council to  determine whether an organization meets PCI DSS external scanning requirements. ASVs perform an external vulnerability scan of an organization’s network or website from the outside looking inward, using similar methods to hackers, such as penetration testing.

The ASV program is designed to help merchants protect their customers’ payment data by providing a certified Scanning Vendor who is approved to scan an organization’s network. This allows merchants to outsource the scanning process, and gives them peace of mind that their payment data is being protected the way it should.

There are a number of PCI SSC approved scanning vendors, and the list is constantly changing as new vendors are approved. Costs for services vary, so be sure to do your research and find the best option for your business.

Benefits of having an Approved Scanning Vendor (ASV)

If you’re not sure what an Approved Scanning Vendor is, they’re essentially third-party companies that have been approved by the PCI Security Standards Council (PCI SSC) to determine whether or not your organization is privy to security vulnerabilities, such as malware attacks and other breaches. 

There are a number of benefits to having an Approved Scanning Vendor, with the most obvious of which is that it is needed to meet the PCI DSS compliance requirements. But there are other reasons why an ASV is hugely beneficial.

ASVs can also provide peace of mind. By using an ASV, you know that the data you manage, store and transfer is being scanned and validated by a trusted third party for any vulnerabilities. This can give your customers confidence that their information is safe and secure when they do business with you and free from any security vulnerabilities.

How to become a PCI SSC Approved Scanning Vendor

If you’re wanting to become an approved scanning vendor (ASV) on the PCI Security Standards Council (PCI SSC) roster, there are a few steps you’ll need to take.

1. Register: A prospective ASV must first review the Approved Scanning Vendors (ASVs) Program Guide and then register for the testing process and provide administrative information and technical details by submitting an attestation of compliance adhering to the Qualification Requirements for Approved Scanning Vendors (ASVs).
2. Test Preparation: The prospective ASV must return the signed Test Agreement, provide details on its customer scan administration process, and pay the test fees upon receipt of the invoice. The Council will then confirm the test date and provide necessary details about the test infrastructure
3. Testing: Each applicant runs its test tool(s) against the Council’s test Web perimeter and submits its results. After remotely scanning the test infrastructure, the vendor must identify the vulnerabilities and misconfigurations found, and report its findings in both executive and detailed test reports.
4. Compliance Assessment: The PCI Security Standards Council’s representative will review and evaluate the vendor’s test performance and reports. If an applicant is approved, the vendor’s information is added to the list of ASVs on the Council’s Web site. Annually, a Council representative will invite the vendor to participate in re-certification testing, which will follow the steps listed above

Read our blog: How to Prepare for Your PCI DSS Audit