GO BACK

5 Steps to Building a Strong ASV Scanning Program

May 6, 2025

AUTHORED BY

Justin Bonk, CISSP, PCI-QSA, CIA, CISA, CIPP/US

Senior Manager, Freed Maxick Risk Advisory Services

ASV-scan-cybersecurity

ASV scans are a foundational requirement of PCI compliance, and performing them consistently each quarter is non-negotiable. Yet, even seemingly minor oversights in the scanning process can escalate quickly, potentially leading to non-compliance.

Because PCI is highly prescriptive when it comes to ASV scanning timelines and outcomes, delays or missteps can become significant obstacles. To avoid those challenges, we recommend incorporating the five practices below into your organization’s ASV scanning program. These steps help ensure not only compliance, but a more secure and efficient process overall.

1. Ensure Quarterly ASV Scans Are Performed on Time

Per PCI DSS v4.0, quarterly controls—including ASV scans—must be performed at least once every 90 to 92 days, or on the same day of every third month. Missing these deadlines can result in non-compliance.

Recommended strategies to stay on track with quarterly ASV scanning:

  • Formalize Timelines in Your Vulnerability Management Policy: Incorporate the scanning schedule directly into policy documentation. Using something like the "third Friday of every third month" is often more straightforward than tracking day counts between scans.

  • Leverage Calendar Reminders: Set reminders well in advance of your scan due dates. Build in buffer time to account for potential delays or issues that may arise.

  • Scan More Frequently Than Required: While quarterly scans are the minimum, scanning more frequently offers several benefits—including better security visibility, more options in the event of scan issues, and the ability to show ongoing remediation efforts. The PCI Security Standards Council (PCI SSC) itself recommends scanning more often than quarterly.

2. Scan the Entire Cardholder Data Environment (CDE)

Timeliness alone isn’t enough—your scans must be comprehensive. All internet-facing components of your CDE must be included. Overlooking even one component increases security risk and can lead to non-compliance if not addressed before the next quarterly scan.

Additionally, significant changes to any external-facing component require a new ASV scan to meet PCI DSS requirement 11.3.2.1.

ASV scan best practice:
Review your ASV scan scope as part of each quarterly cycle. Revalidating the scope ensures that no changes have gone unnoticed and reduces the risk of exclusions that may compromise compliance.

3. Ensure Your ASV Certifies the Results

A scan is not complete until your ASV formally certifies the results. Without certification, scan results cannot be used as evidence of compliance.

While passing scans typically get certified quickly, false positives are common and often require coordination with your ASV. This back-and-forth can take time, which is why most ASVs recommend scanning well ahead of deadlines.

Important note:
Some ASVs will not certify scans retroactively if too much time has passed since the original scan. To avoid this situation, always finalize the scan process promptly and ensure results are certified.

4. Initiate Remediation Activities Immediately

If any vulnerabilities are identified with a CVSS score of 4.0 or higher, remediation is mandatory—followed by a rescan to validate the fixes. Because remediation can take time, it’s best to begin addressing these issues as soon as scan results are available.

Recent Updates to PCI DSS requirements:
Effective April 1, 2025, PCI DSS requirement 11.3.1.1 requires remediation of non-high/critical vulnerabilities based on a Targeted Risk Analysis, following specific guidance outlined in requirement 12.3.1. Proactive remediation planning is more important than ever.

5. Thoroughly Document ASV Scan Remediation Activities

Even with timely remediation, documentation is essential. If vulnerabilities take time to resolve, having a detailed record of remediation efforts provides critical support during an assessment.

Key details to track:

  • What actions were taken
  • When they occurred
  • Who performed the work
  • Results and outcomes of each remediation step

Maintaining this audit trail demonstrates diligence that can help show remediation efforts during long vulnerability remediation cycles.

Final Thoughts on ASV Scanning Best Practices

ASV scans are not just a checkbox—they are a critical part of maintaining a secure and compliant environment. By taking a disciplined approach to timing, scope, certification, remediation, and documentation, your organization will be better prepared to meet PCI requirements and avoid avoidable compliance pitfalls.

Contact Us for ASV Scanning Support

For expert guidance and assistance with your ASV scanning efforts, don't hesitate to reach out to Justin Bonk with Freed Maxick Risk Advisory Services at justin.bonk@freedmaxick.com or via the form below.