Services PCI ASV Scanning Services
+44 20 3996 1505

PCI ASV Scanning Services

PCI DSS Requirement 11.3.2 requires every merchant, service provider, and acquirer with externally-facing systems in the cardholder data environment to obtain quarterly external vulnerability scans from a PCI ASV partnership (ASV). The scans must produce a passing result, with all medium and higher severity vulnerabilities resolved or compensated.

RedSecLabs partners with a PCI ASV partnership. We deliver quarterly ASV scans, rapid re-scans after remediation, and the formal attestation reports your acquirer and QSA require. Our methodology aligns to current PCI ASV Program Guide expectations and produces audit-ready evidence on first delivery.

We work with UK and global merchants, payment service providers, acquirers, and SaaS platforms in scope of PCI DSS.

CREST Certified Pen Test Provider ISO Certified OSCP Certified Industry Certification

Free Security Quote

Just a few questions to scope your project. We respond the same business day.

UK-based CREST member · QSA-aligned methodology · Same-day scoping response · Executive + technical reports · Retest included
PCI SSC ASV
Approved Scanning Vendor
Quarterly
Required cadence
Rapid
Re-scan turnaround
CREST
Member company

What is ASV scanning

PCI DSS Requirement 11.3.2 requires quarterly external vulnerability scans, conducted from outside the cardholder data environment, by a vendor specifically approved by the PCI Security Standards Council. The scans probe externally-facing IP addresses, web applications, and services for vulnerabilities that an external attacker could exploit.

Only Approved Scanning Vendors can produce scan reports that satisfy PCI DSS. Generic vulnerability scans from non-approved providers do not count, regardless of technical quality. The ASV programme has specific methodology requirements, dispute resolution processes, and attestation formats that the PCI SSC oversees directly.

What ASV scanning delivers:

PCI DSS Requirement 11.3.2 compliance evidence

Quarterly Attestation of Scan Compliance (AOSC)

Detailed vulnerability findings with CVSS scoring

Audit-ready scan reports your QSA and acquirer accept

Remediation guidance and re-scan support

Dispute resolution support for false positives

Most clients run all four quarterly scans with us under a single annual engagement; passing scans are submitted directly to your acquirer or kept on file for your QSA assessment.

Why ASV scanning matters beyond compliance

PCI DSS Requirement 11.3.2 is the compliance trigger, but the operational value of ASV scanning is broader. Externally-facing assets in the cardholder data environment are the highest-risk surface in any payments business, exposed to automated mass scanning from threat actors continuously. Quarterly ASV scans are the minimum cadence that catches new exposures before they become incidents.

Compliance failure also has real teeth. Failed ASV scans without remediation evidence put your acquirer relationship at risk, can trigger immediate suspension of merchant services, and become an audit failure point at your next QSA assessment. The cost of a failed scan with no remediation is meaningfully greater than the cost of running a proper ASV programme.

Common pressures ASV scanning addresses:

PCI DSS Requirement 11.3.2 compliance failure

Acquirer-imposed fines for missed quarterly scans

QSA audit failure on the external scanning evidence

Externally-facing exposures missed by internal teams

Continuous threat actor scanning of payment surfaces

Inability to attest passing scans for the AOSC submission

ASV scanning is non-negotiable for any PCI DSS-in-scope external surface. Running it well is materially cheaper than running it badly or skipping it.

Who needs ASV scanning

Anyone with externally-facing systems in scope of PCI DSS needs ASV scanning, regardless of merchant level:

Payment service providers

E-commerce merchants (all levels)

Banks and acquirers

Retail and hospitality

SaaS in scope of PCI DSS

Cloud-hosted card environments

Payment gateways

Marketplaces handling card data

Whether you are a Level 1 merchant on annual ROC or a Level 4 merchant on SAQ, Requirement 11.3.2 applies to your externally-facing CDE assets. Our scanning programme adapts to your level and pricing scales accordingly.

How we run ASV scanning programmes

Our ASV scanning programme is built around quarterly cadence, rapid re-scan turnaround, and the formal artefacts the PCI ASV Program Guide mandates.

01

Initial Scoping

We identify every externally-facing IP address and host in scope of PCI DSS, document the cardholder data environment perimeter, and confirm the in-scope target list with you.

02

Discovery & Verification

Discovery scan identifies live hosts and exposed services. We verify scope completeness against your declared CDE and flag any discovered exposures you might not have known about.

03

Quarterly Vulnerability Scan

Full ASV-compliant scan against the in-scope target list. Authenticated where required; unauthenticated by default. CVSS scoring applied per PCI ASV Program Guide.

04

Findings Review

Findings reviewed with your team to identify false positives (we file disputes with the PCI SSC where appropriate) and prioritise remediation by severity.

05

Remediation Support

Hands-on guidance on remediating findings, most clients use us as the technical advisor on the fix as well as the scan. We do not just hand over a PDF and walk away.

06

Re-scan

After remediation, we re-scan the affected targets within agreed turnaround (usually within 5 business days). Re-scans continue until a passing result is achieved.

07

Attestation of Scan Compliance (AOSC)

Formal AOSC issued in the PCI ASV format your acquirer and QSA expect. Submission support included.

08

Annual Programme

All four quarterly scans run as a coordinated annual programme, with calendar-aligned scheduling, evidence retention, and renewal planning.

Most clients complete the full four-quarter programme without any unscheduled work beyond agreed re-scans. We monitor your scope between quarters and flag any changes that warrant attention.

What you receive

Every ASV scanning engagement delivers:

  • Quarterly ASV scan reports in PCI SSC format
  • Attestation of Scan Compliance (AOSC) per quarter
  • Detailed vulnerability findings with CVSS scoring
  • False positive dispute support with PCI SSC
  • Remediation guidance for every finding
  • Rapid re-scan turnaround after remediation
  • Acquirer and QSA submission support
  • Annual evidence pack for PCI DSS audit

Industries We Serve

We deliver this service across these industries:

Payment Service Providers
E-commerce
Banks & Acquirers
Retail
Hospitality
PaymentTech
Cloud Payment Platforms
Marketplaces

Why RedSecLabs for ASV scanning

RedSecLabs partners with a PCI ASV partnership with the methodology, qualified staff and SSC oversight relationship that the ASV programme requires. Our scanning team works alongside our QSA-aligned PCI DSS practice, so ASV findings feed directly into your wider compliance work rather than sitting in a silo. We deliver the scans on schedule, support remediation properly, and produce attestation evidence acquirers and QSAs accept first time.

PCI ASV partnership
CREST member company
Audit-ready AOSC reports
Rapid re-scan turnaround
Senior ASV-qualified staff
Integrates with broader PCI DSS work

Speak to a PCI ASV scanning specialist

Book a 30-minute scoping call. We will confirm your external attack surface and quote a fixed annual fee within 48 hours.

Book a Scoping Call Contact Us

Where to next

Related services and industry packages worth exploring.

PCI DSS Compliance

Vulnerability Assessment

E-commerce & Retail package
Related reading

From the RedSecLabs research blog

From the blog

PCI DSS 4.0.1 Compliance Guide

How Requirement 11.3.2 ASV scanning fits in PCI DSS 4.0.1.

Read on the RedSecLabs blog

Frequently Asked Questions

An Approved Scanning Vendor (ASV) is a vendor specifically approved by the PCI Security Standards Council to conduct external vulnerability scans against PCI DSS-in-scope environments. ASV approval requires formal qualification of the scanning methodology, the staff conducting the scans, and the reporting format. Non-ASV scans do not satisfy PCI DSS Requirement 11.3.2 regardless of their technical quality.

It depends on your specific scope. SAQ A merchants (fully outsourced e-commerce) typically do not need ASV scans of their own infrastructure because no CDE assets are externally facing. SAQ A-EP merchants (where the payment page is iframed but the merchant has some involvement in the page) typically do need ASV scanning of the page-hosting environment. We confirm scope during initial scoping.

Usually within 5 business days, often faster. Re-scans are a normal part of every ASV programme; most clients do at least one re-scan per quarter as they remediate findings from the initial scan. We do not charge per re-scan within reasonable limits.

Yes. The PCI ASV Program Guide includes a formal dispute resolution process for findings the client believes are false positives or where compensating controls reduce the risk. We file disputes on your behalf with supporting evidence, and have a high success rate getting legitimate disputes accepted.

No, ASV scanning is specifically for externally-facing assets. PCI DSS Requirement 11.3.1 covers internal scanning, which is a separate engagement, although it can be done alongside ASV scanning by our wider vulnerability assessment team. Many clients combine the two so the same vendor handles both internal and external scanning under one programme.

Pricing is scoped to your in-scope external IP count, the complexity of the environment, and the level of remediation support you want included. We confirm fixed-fee scope within 48 hours of a scoping call. Annual programmes are materially cheaper than quarter-by-quarter purchases.
Before you decide
Download a sample report
A redacted RedSecLabs penetration test report. See the format, depth, and clarity your team will receive.
Talk to us
Book a scoping call
A 30-minute call covers realistic effort, timeline, and a fixed-scope quote. CREST-aligned methodology, UK-based testers.
What you receive

Every engagement includes

  • Scoping call. A 30-minute call to define scope, timeline, and authorisation boundaries.
  • Test plan. Written test plan covering targets, methodology, and rules of engagement.
  • Technical report. Detailed findings with reproduction steps, evidence, and remediation guidance.
  • Executive summary. Board-ready summary with risk ratings and business impact.
  • Audit-ready evidence. Findings letter formatted for auditors, customers, and supervisory authorities.
  • Retest letter. Free retest of remediated findings within agreed window. Confirmation letter included.
  • Remediation call. A call with our lead tester to walk through findings and remediation strategy.
How we deliver

Our process, end to end

  1. 1
    Scoping call & fixed-scope quote
    A 30-minute call. We define scope, targets, timeline. You get a fixed-scope quote within one working day.
  2. 2
    Test plan & authorisation
    Written test plan covering methodology, targets, and rules of engagement.
  3. 3
    CREST-aligned execution
    Senior tester runs the engagement. Critical findings flagged immediately during testing.
  4. 4
    Technical + executive report
    Detailed technical findings with reproduction steps. Board-ready executive summary.
  5. 5
    Remediation call & retest
    Walkthrough with our lead tester. Retest of remediated findings within the agreed window.
Engagement scope

What shapes the quote

Small scope
Focused scope, smaller surface. 5-7 working days.
Medium scope
Multi-role, several integrations. 8-12 working days.
Enterprise scope
Complex environment, compliance evidence. 12-25 working days.
Fixed-scope quote within 1 working day
No surprise invoices. We commit to a number before you commit to us.
📞 Call us Book a call