What is an ASV?

An Approved Scanning Vendor (ASV) is an organization deploying security services and tools (sometimes called an ASV scan solution) to conduct external vulnerability scanning services to validate adherence with PCI DSS Requirement 11.2.2.

The scanning vendor’s ASV scan solution gets tested and approved by the PCI Security Standards Council (PCI-SCC) before being added to its list of Approved Scanning Vendors. For a company to be approved, they must first become a legal entity and fulfill all requirements to conduct business. Next, they have to go through a registration process with the PCI SSC that consists of reviewing the ASVs program guide, register for the testing, and provide administrative information and technical details by submitting an attestation of compliance. The application is reviewed by the council and either accepted or denied for testing.

ASVs often perform an external vulnerability scan of an organization’s network or website from the outside looking inward. In addition to determining PCI compliance, these scans from service providers can provide insight into any data security changes that need to be made.