How to Choose an ASV
Bottom Line Up Front
If you just received a PCI compliance questionnaire from your payment processor and you’re wondering what an ASV is (and whether you need one), here’s what matters: an ASV is an Approved Scanning Vendor that runs quarterly security scans on your network. If you accept credit cards online, have an e-commerce website, or process payments through any internet-connected system, you’ll need these scans. The good news? ASV scanning is straightforward, automated, and typically costs less than $300 per year. Most small businesses can complete their entire PCI compliance — including ASV scans — in an afternoon.
What Is PCI Compliance (In Plain English)
PCI DSS (Payment Card Industry Data Security Standard) is a set of security requirements that apply to every business that accepts credit cards. The major card brands — Visa, Mastercard, American Express, and Discover — created these standards through the PCI Security Standards Council to protect cardholder data from theft and fraud.
Your acquirer (the bank or payment processor that handles your card transactions) enforces these requirements. That questionnaire they sent you? It’s their way of verifying you’re following the security standards. They’re required to collect this documentation from every merchant they serve.
The consequences of non-compliance range from annoying to business-ending. Your processor can fine you monthly (typically $5-100 for small merchants), increase your processing rates, or even terminate your ability to accept cards. If you have a data breach while non-compliant, you could face fines up to $500,000 and be liable for fraudulent charges.
Here’s what should ease your mind: most small businesses qualify for the simplest compliance requirements. If you’re reading this guide, you’re probably a Level 4 merchant (processing fewer than 20,000 e-commerce transactions or 1 million total transactions annually), which means you can self-assess your compliance using a simplified questionnaire called an SAQ.
Do You Need to Be PCI Compliant?
Simple answer: if you accept credit cards in any form, yes. This includes:
- Physical card readers and terminals
- Online payments through your website
- Phone orders where customers read you their card number
- Mail order forms
- Mobile payment apps
- Even if you only process one card payment per year
Your merchant level determines how you validate compliance:
| Annual Transaction Volume | Merchant Level | Validation Required |
|---|---|---|
| Over 6 million | Level 1 | Annual onsite assessment by QSA |
| 1-6 million | Level 2 | Annual SAQ + quarterly ASV scans |
| 20,000-1 million e-commerce | Level 3 | Annual SAQ + quarterly ASV scans |
| Under 20,000 e-commerce OR under 1 million total | Level 4 | Annual SAQ + quarterly ASV scans (if applicable) |
The compliance questionnaire your processor sent is their way of collecting your annual validation. They need it to show the card brands that their merchants are following security standards. Miss their deadline, and those monthly non-compliance fees start immediately.
Which SAQ Do You Need?
The Self-Assessment Questionnaire (SAQ) comes in different versions based on how you accept payments. Think of it as choosing the right tax form — you want the simplest one that accurately describes your business.
Here’s how to choose:
| How You Accept Payments | Your SAQ Type | Number of Questions |
|---|---|---|
| E-commerce with fully hosted checkout (PayPal, Stripe Checkout, Shopify) | SAQ A | 22 questions |
| E-commerce with payment fields on your site (WooCommerce with Stripe Elements) | SAQ A-EP | 191 questions |
| Standalone terminals only (Square reader, Clover terminal) | SAQ B | 41 questions |
| Terminals connected to internet (terminal plugs into your router) | SAQ B-IP | 82 questions |
| Manual card entry (virtual terminal, phone orders) | SAQ C-VT | 160 questions |
| Old-school paper imprints (if you still use these) | SAQ C | 139 questions |
| You store card numbers (please stop doing this) | SAQ D | 329 questions |
For service providers: There’s SAQ D for Service Providers with 329 requirements, and you’ll definitely need quarterly ASV scans.
PCICompliance.com offers a free SAQ Wizard that asks you a few simple questions about your payment setup and tells you exactly which SAQ applies. No guessing required.
What’s an ASV and When Do You Need One?
An Approved Scanning Vendor (ASV) is a company certified by the PCI Security Standards Council to perform external vulnerability scans on your network. Think of it as a security checkup for any systems that touch the internet and handle card data.
You need quarterly ASV scans if:
- You have an e-commerce website (SAQ A-EP or SAQ D)
- Your payment terminals connect to the internet (SAQ B-IP)
- You use web-based virtual terminals (SAQ C-VT)
- You’re any merchant processing more than 20,000 e-commerce transactions annually
- Your payment processor specifically requires it (check your compliance packet)
You typically DON’T need ASV scans if:
- You only use standalone, dial-out terminals (SAQ B)
- You redirect all online payments to a hosted payment page (SAQ A)
- You only accept cards face-to-face through P2PE-validated terminals
The scan itself is automated — the ASV runs security tests against your public IP addresses looking for vulnerabilities that could be exploited by attackers. It typically takes 30-60 minutes and runs in the background without disrupting your business.
How to Choose an ASV
With over 100 approved vendors, choosing an ASV can feel overwhelming. Here’s what actually matters:
Essential Features:
- PCI SSC approved — verify them on the official ASV list
- Automated scanning — no manual configuration needed
- Clear reporting — you need passing scan reports for compliance
- Remediation guidance — they should explain how to fix any issues
- Support included — you’ll have questions, especially the first time
What to Compare:
- Price: Typically $200-500 per year for small merchants
- Scan frequency: Quarterly is required, but some include monthly or on-demand
- Number of IPs included: Most small businesses need 1-5 IP addresses scanned
- Compliance dashboard: Somewhere to track your scan history and download reports
- Integration with SAQ tools: Completing everything in one platform saves time
Red Flags to Avoid:
- Extremely cheap options (under $100/year) often have hidden fees
- Vendors not on the official PCI SSC list
- Companies that require long-term contracts
- Services that make you configure scans manually
- Providers with poor support reviews
PCICompliance.com includes ASV scanning with our compliance platform — schedule your scans, track remediation, and submit everything to your processor from one dashboard.
What Happens During an ASV Scan
Understanding the scan process removes much of the anxiety:
1. Provide your IP addresses — usually just your website’s public IP or payment system addresses
2. Schedule the scan — pick a low-traffic time, though impact is minimal
3. Scan runs automatically — takes 30-90 minutes, testing for thousands of vulnerabilities
4. Receive your report — usually within 24 hours
5. Review findings — the report shows any vulnerabilities found
6. Fix failures (if any) — most issues are simple: outdated software, unnecessary services
7. Rescan if needed — fixes verified with a free rescan
8. Submit passing report — include with your SAQ when filing compliance
Common scan findings and fixes:
- Outdated SSL certificates → update to TLS 1.2 or higher
- Open administrative ports → restrict access or close unnecessary services
- Missing security patches → apply updates to your web server
- Weak encryption protocols → disable old SSL versions
How Much Does This Cost?
Let’s talk real numbers for PCI compliance:
SAQ Tools and Support:
- Free: Download SAQs directly from PCI SSC (but no guidance)
- $100-300/year: Compliance platforms with wizards and support
- $500-1,500/year: Managed compliance services
ASV Scanning:
- $200-500/year: Standard quarterly scanning for 1-5 IPs
- $500-2,000/year: Advanced scanning with more IPs and features
- $2,000+/year: Enterprise solutions with unlimited IPs
If You Need a QSA:
- Level 1 merchants only (over 6 million transactions)
- $15,000-50,000 for annual onsite assessment
- Not required for most small businesses
The Cost of NON-Compliance:
- Monthly fines: $5-500 depending on processor and merchant level
- Increased processing rates: 0.5-1% higher
- Breach liability: Average $150 per compromised card
- Lost ability to accept cards: Priceless (in the worst way)
For most small merchants, total annual compliance costs less than $500 — far less than a single month of non-compliance fines or one How to incident.
Staying Compliant Year-Round
PCI compliance isn’t a one-and-done checkbox. Your validation expires annually, and ASV scans are required quarterly. Here’s how to stay on track:
Set These Reminders:
- Quarterly: Schedule ASV scans (every 90 days)
- Annually: Complete and submit your SAQ
- Monthly: Review any security alerts from your payment processor
- As needed: Update your assessment if your payment methods change
What Triggers a New Assessment:
- Adding e-commerce to a retail-only business
- Switching payment processors or gateways
- Starting to store cardholder data (don’t do this)
- Significant network changes affecting payment systems
- Moving from outsourced to in-house payment processing
Documentation to Maintain:
- Current network diagram showing payment flows
- ASV passing scan reports (keep 12 months)
- Completed SAQ and AOC
- Security policies and procedures
- Evidence of employee security training
PCICompliance.com’s compliance dashboard tracks all these dates, sends reminders, and stores your documentation in one secure location. No more scrambling when your processor asks for last quarter’s scan report.
FAQ
Do I really need PCI compliance if I’m just a small business?
Yes, size doesn’t matter when it comes to PCI requirements. Every business that accepts credit cards must validate compliance annually. The good news is that small businesses qualify for the simplified SAQ process, which you can usually complete in 1-2 hours.
What’s the difference between an ASV scan and penetration testing?
ASV scans are automated external vulnerability scans required quarterly for certain SAQ types. Penetration testing is a manual security assessment required annually for SAQ D merchants and service providers — think of it as hiring ethical hackers to try breaking into your systems.
Can I use any vulnerability scanner or does it have to be an ASV?
It must be an ASV approved by the PCI Security Standards Council. Regular vulnerability scanners, even excellent ones, don’t produce the official reports required for PCI compliance. Your ASV must be on the official list.
What if my ASV scan fails?
Don’t panic — initial scan failures are common. The ASV report will detail each vulnerability and its severity. Most failures are due to outdated software or unnecessary services that are easily fixed. You get free rescans to verify your fixes.
How do I know which IP addresses need scanning?
Any public-facing IP address that handles cardholder data needs scanning. This typically includes your e-commerce website, payment gateway connections, and any web-based payment terminals. If unsure, your web hosting provider or IT support can identify your public IPs.
Can I do ASV scanning myself if I’m technical?
No, ASV scans must be performed by an approved third-party vendor. This independence ensures objective results. Even if you have security expertise, you cannot self-certify your ASV scans.
What if I only accept payments through PayPal or Square?
If you redirect customers entirely to PayPal or Square’s hosted payment pages (they never enter card details on your site), you likely qualify for SAQ A, which doesn’t require ASV scanning. However, if you use PayPal Payments Pro or similar solutions where customers stay on your site, you’ll need quarterly scans.
How long do I have to keep ASV scan reports?
The PCI DSS requires maintaining 12 months of passing quarterly ASV scan reports. Your processor may ask to see these during annual compliance validation or if there’s ever a security incident.
Conclusion
PCI compliance might seem overwhelming when that first questionnaire arrives from your payment processor, but for most small businesses, it’s simpler than you think. Identify your SAQ type, complete the questionnaire, schedule quarterly ASV scans if required, and submit your documentation annually. The entire process typically costs less than $500 per year and protects both your business and your customers from card fraud.
The key to choosing an ASV is finding one that makes compliance simple — automated scanning, clear reports, helpful support, and reasonable pricing. Look for vendors that integrate ASV scanning with SAQ tools so you can manage everything in one place.
PCICompliance.com gives you everything you need to achieve and maintain PCI compliance — our free SAQ Wizard identifies exactly which questionnaire you need, our ASV scanning service handles your quarterly vulnerability scans, and our compliance dashboard tracks your progress year-round. Start with the free SAQ Wizard or talk to our compliance team about getting your business compliant quickly and staying that way.
