Do I have to run an External Vulnerability Scan (ASV scan) on my website? – PCI

If your business requires ASV website scanning for PCI DSS compliance, the "Be scan compliant" widget will appear on your dashboard after completing your business profile.

If you accept card payments through your website, PCI DSS ASV scans must be run on your website domain. Who is responsible for managing this will depends on the set up of your website.

If your website is fully managed by an external PCI DSS compliant organization:

They are responsible for security
They must provide passing ASV scan reports for in-scope targets at least every 90 days
You need these reports to maintain your compliance.

Note: If you don't use a fully managed PCI DSS compliant organization, you are responsible for running scans and maintaining scan compliance.

You must run scans if you either:	No scanning required by you if:
Outsource your e-commerce website to a third-party provider who is not PCI DSS validated Your website redirects customers to a third party for payment processing Your website includes third-party embedded payment pages/forms in an iFrame	You outsource your e-commerce website to a PCI DSS-validated third-party provider. Instead, you must: Review the provider's Attestation of Compliance (AOC). Confirm your store is fully within their scope. Verify their ASV scans are consistently passing.