Compliance Glossary

An ASV is an organization that uses a set of security tools and services (called “ASV scan solution”) to perform external vulnerability scans. Their goal is to test the security posture of a business environment and identify vulnerabilities, misconfigurations, and other gaps in a security system that can be used to cause a security incident. 

This helps organizations improve their data security and meet PCI DSS requirements.

An ASV’s scan solution is rigorously tested and approved by the PCI SSC. Only then do they earn a spot on the PCI SSC’s List of Approved Scanning Vendors.

Key stages in PCI ASV scanning:

• Determine the scope: The customer determines what parts of their internet-facing system, including components related to cardholder data, should be scanned.
• Scan: The ASV conducts vulnerability scans using its scanning tools. Different sections of the Cardholder Data Environment (CDE) can be scanned separately.
• Remediation: After scanning, the ASV shares interim results with the customer, who then takes necessary actions to fix any issues.
• Resolution: If there are disagreements about scan results, the client and ASV work together to resolve them.
• Rescan (if needed): Additional scans are performed until all conflicts and exceptions are resolved.
• Final reporting: When no vulnerabilities remain, the ASV generates a report approved by PCI ASV and securely delivers it to the customer.