Are you wondering, “Do I need a PCI ASV?” We’ll try to make this as simple as possible.
Answer: If you take credit cards as a method of payment, then a scan from a PCI ASV is most likely required.
To meet PCI compliance standards, retailers and merchants need to have their external IP addresses scanned quarterly by a PCI ASV (Approved Scanning Vendor) with the PCI SSC, with few exceptions.
What makes an ASV different? Well, PCI ASV’s have their scanning technology evaluated annually to ensure detection of issues relevant for PCI compliance and for overall credit card security. It is true that there are many vulnerability scanning options out in the wild. However, if a scanning company is not listed on the PCI SSC website, there’s no guarantee they will detect PCI vulnerabilities. Further, the results will not be acceptable for credit card compliance. Backbone Security’s vulnerability scanning solution, 1 Stop PCI Scan , provides retailers with evidence of external PCI scan compliance from a trusted PCI ASV.
In what instances would you not require a PCI ASV scan? If you qualify to use SAQ A, SAQ B, SAQ C-VT or SAQ P2PE, then you will not require ASV scanning. With that said, it is still wise to have vulnerability scanning performed, even when qualifying for those other SAQ types. And the decision on whether or not scanning by a PCI ASV is required is ultimately up to your acquiring bank. They have the final say on that matter and can request evidence that goes above and beyond the technical requirements listed in a particular SAQ document.