What is an Approved Scanning Vendor?
An Approved Scanning Vendor (ASV) is a company or organization that has been certified by the Payment Card Industry Security Standards Council (PCI SSC) to perform vulnerability scans for businesses that handle payment card data. These vendors conduct external network vulnerability scans to ensure companies comply with the PCI Data Security Standard (PCI DSS).
The scans performed by ASVs are designed to identify any weaknesses in an organization’s external-facing systems that attackers could exploit. The goal is to protect cardholder data by ensuring that these systems are secure and comply with the requirements set forth by PCI DSS.
Businesses that comply with PCI DSS often need to undergo regular scans by an ASV to validate their compliance, mainly if they handle large volumes of credit card transactions. After the scan, the ASV provides a report that details the vulnerabilities found, if any, and whether the business meets the PCI DSS requirements. If vulnerabilities are found, the company must address them. Sometimes, they’ll need to be re-scanned to confirm that the issues have been resolved.
Start Getting Value With
Centraleyes for Free
See for yourself how the Centraleyes platform exceeds anything an old GRC
system does and eliminates the need for manual processes and spreadsheets
to give you immediate value and run a full risk assessment in less than 30 days
The PCI SSC Approval Process
Becoming an ASV is no small feat. The PCI SSC maintains a rigorous approval process that each ASV must undergo. This process involves extensive testing of the Approved Scanning Vendor solution to ensure it meets the high standards required for effective PCI data security scanning. What’s more, this approval isn’t a one-and-done deal—ASVs must be re-approved annually to maintain their status. This continuous re-approval process ensures that ASVs stay updated with evolving security requirements.
Why Re-Approval Matters
The annual re-approval of ASVs is crucial for maintaining the integrity and effectiveness of PCI DSS compliance. Businesses relying on ASVs for their vulnerability scans can rest assured that these vendors are current with the latest security practices. However, it’s important for businesses to regularly check the PCI SSC’s List of PCI Approved Scanning Vendors to confirm that their chosen ASV maintains its approved status. The list is frequently updated, and ensuring your ASV is still compliant is vital for ongoing security.
No Endorsement Implied
It’s important to note that while the PCI SSC approves ASVs, this approval should not be misconstrued as an endorsement of the vendor’s business practices. Approval indicates that the ASV has met the necessary requirements to perform PCI data security scanning, but it does not guarantee the quality of other services or business operations the ASV may offer.
Understanding the Remediation Process
What happens if an ASV fails to meet the qualification requirements? In such cases, the ASV may be placed in an “In Remediation” status. This means that the PCI SSC has determined that the ASV has violated one or more of the qualification requirements and must take corrective action. During this time, the ASV works to resolve the issues and regain its approved status. Businesses should be aware of the remediation status and may need to consider an alternative ASV if necessary.
Global Presence and Options
One of the strengths of the ASV program is its global reach. Whether your business operates in the United States, Europe, Asia, or anywhere else, an ASV can likely meet your needs. For example, companies like AccessIT Group, Inc in the USA, AKATI Consulting (M) Sdn Bhd in Malaysia, and Fujitsu Limited in Japan are just a few of the globally recognized ASVs. This worldwide network of ASVs ensures businesses of all sizes and locations can find a compliant scanning solution.
Choosing the Right ASV for Your Business
Selecting the right ASV is crucial for any business concerned with PCI DSS compliance. When choosing an ASV, consider factors such as the vendor’s experience, global reach, and customer support level. Additionally, ensure that the ASV you choose aligns with your specific security needs and is on the current list of approved vendors.
Bottom Line: How Much Does it Cost?
The cost of hiring an Approved Scanning Vendor (ASV) for PCI DSS compliance varies depending on the size and complexity of your organization. For small to medium-sized businesses, approved scanning vendor costs for services can range from $200 to $1,000 per scan or annually, typically covering quarterly vulnerability scans and basic reporting. Larger enterprises, with more complex infrastructures, may need more frequent scans, advanced reporting, and additional support, which can raise the price to $1,000 to $5,000 or more per year.
Some vendors offer subscription packages that bundle monthly or quarterly scans with ongoing support, costing anywhere from $500 to $10,000 annually, depending on the frequency and scope of services. Additional costs may include remediation assistance, custom reporting, or retests if vulnerabilities are found. Major ASVs provide these services, with PCI-approved scanning vendor pricing and features tailored to your business’s specific compliance needs.
PCI DSS 4.0 introduces new requirements like targeted risk analysis and enhanced authentication protocols, which could drive up costs for ASV services as they become more tailored to meet these advanced needs.
Start Getting Value With
Centraleyes for Free
See for yourself how the Centraleyes platform exceeds anything an old GRC
system does and eliminates the need for manual processes and spreadsheets
to give you immediate value and run a full risk assessment in less than 30 days