Approved Scanning Vendor (ASV) scans are an essential part of PCI DSS compliance. They evaluate vulnerabilities in your external-facing systems to ensure alignment with PCI standards. This structured process ensures organizations maintain security across their perimeter infrastructure.
PCI ASV Scanning Workflow
- Scope Identification: Define the systems and networks that fall under your PCI DSS scope.
- Select an ASV Vendor: Choose a PCI SSC-approved vendor that fits your operational needs.
- Schedule Scans: Coordinate quarterly scans to assess external vulnerabilities proactively.
- Prepare and Inform: Notify stakeholders, prep documentation, and communicate timing with impacted teams.
- Scan Execution: The ASV performs vulnerability scanning using PCI-approved tools and methodology.
- Analysis and Reporting: A detailed report is issued showing vulnerabilities and remediation steps.
- Remediation: Fix any issues found — prioritizing them based on severity and timeline requirements.
- Rescan (if needed): If critical issues are resolved, schedule a retest for verification.
- Documentation & Record Keeping: Maintain scan reports and mitigation logs for audits and compliance validation.
- Repeat Quarterly: Continue ASV scans every 90 days to ensure ongoing PCI DSS compliance and perimeter protection.