ASV (Approved Scanning Vendor) scans must be completed and passed every 90 days minimum to maintain PCI compliance. You'll need an initial scan to validate compliance, then receive email notifications every 90 days when your next scan is due.
When do you need ASV scans?
ASV scans are required in specific scenarios where your payment systems connect to the internet:
Internet-connected terminals
If you use physical payment terminals connected to the internet, you may need to scan your external network connection. The ASV scan checks your business's external/public IP address for security vulnerabilities.
Website payment processing
If you accept card payments through your website, ASV scans check for security vulnerabilities in your web-based payment systems that could expose customer payment data to hackers.
What ASV scans check
ASV scans examine your internet-facing systems for:
- Known security vulnerabilities
- Weak configurations that could be exploited
- Open ports or services that shouldn't be accessible
- Security gaps that could lead to data breaches
Important notes
- Passing scans are required—failed scans must be remediated and re-scanned until they pass
- Your payment processor or ASV provider will notify you when scans are due
- Some compliance levels may require more frequent scanning than the 90-day minimum
Work with your payment processor to determine if ASV scanning applies to your specific payment setup and compliance requirements.