Loading...
Loading...
Quarterly external vulnerability scans, passing attestations, and acquirer-ready reports under PCI DSS 4.0.1 Requirement 11.3.2. Predictable annual fee, predictable compliance.
ASV scanning is a tightly-defined PCI service: a credentialled-but-unauthenticated external scan of every internet-facing component of your cardholder data environment, executed under PCI SSC's ASV Program Guide. It is not a penetration test, an internal scan, or a web-application pentest — those are separate PCI requirements and are bought separately.
What ASV scanning does give you is the regulator-grade, auditor-grade, acquirer-grade evidence that your external attack surface meets PCI's minimum bar — refreshed every 90 days.
Req 11.3.2 requires “external vulnerability scans performed at least once every three months by a PCI SSC Approved Scanning Vendor”, with a passing scan defined as no vulnerability rated 4.0 or higher (CVSS v2) and no vulnerability in the automatic-fail categories (default credentials, dangerous protocols, etc.).
Significant changes to the CDE — new IPs, new payment flows, infrastructure migrations — also trigger an out-of-cycle scan. We track significant-change events alongside the quarterly cycle so nothing falls off.
Scope confirmation, baseline scan, remediation cycle, passing attestation.
Delta scan, change-control review, vulnerability triage, passing attestation.
Mid-year scope refresh, scan, remediation, passing attestation.
Year-end scan, annual scope report, passing attestation, ready for QSA RoC season.
An ASV is an organisation certified by the PCI Security Standards Council to perform external vulnerability scans of internet-facing systems in a merchant or service provider's cardholder data environment. Only ASVs can produce the attestation that satisfies PCI DSS Requirement 11.3.2 — your own scans, however good, are not acceptable evidence.
PCI DSS 4.0.1 Requirement 11.3.2 requires external vulnerability scans at least once every three months, and after any significant change to the cardholder data environment. All findings rated as failing (typically CVSS ≥4.0 or specific automatic-fail categories) must be remediated and the scan re-run until a passing attestation is obtained.
Every internet-routable IP address and fully-qualified domain name in your cardholder data environment scope — payment pages, payment APIs, supporting infrastructure (mail, DNS, jump hosts), and any third-party-hosted assets in scope. We work with you to confirm scope, identify load-balancers and CDNs, and ensure no in-scope asset is missed.
We deliver a prioritised remediation report, support your team through the fixes, then rescan at no additional cost within the quarterly window. The clock for the quarter resets only when the passing attestation is delivered — so fast remediation matters. Most failures we see are misconfigured TLS, exposed admin interfaces, and outdated web server versions.
Yes. Each passing quarterly cycle includes the Attestation of Scan Compliance, Executive Summary, and Vulnerabilities Detail — the three documents your acquiring bank or QSA will ask for. We package them into a single submission-ready PDF on every quarterly run.
Annual ASV contract from a recognised Malaysian provider. Onboard inside 5 business days.
Get a Scope