“We do not store any credit card data, we outsource it. PCI DSS is not relevant for us.” If you think this way, you are not alone, but it is a misconception. The Payment Card Industry Data Security Standard (PCI DSS), is designed to enhance the security of credit card data. It applies to all organizations that store, process, or transmit cardholder data and sensitive authentication data, or that could affect the security of the environment used for such data. This includes all organizations involved in card processing, such as merchants, acquiring banks, issuing banks, and service providers, even those not directly handling card data like hosting providers.

To achieve and maintain PCI DSS compliance requires regular vulnerability scans, both internal and external. However, the problem is that many organizations are particularly uncertain about external scans performed by approved experts known as Approved Scanning Vendors (ASVs).

Not surprisingly, external compliance scans, together with penetration tests, are among the least commonly completed of the nearly eighty PCI DSS requirements. Only 61.5% of organizations complete them, contributing to the low overall full PCI compliance rate of 41.3% as of 2023 according to the Verizon 2024 Payment Security Report. This article explains the PCI requirements and what you need to know about PCI ASVs and compliance scans.

Background

Credit card data, especially Primary Account Numbers (PANs), are extremely valuable to fraudsters. Cybercriminals invest significant effort to steal them, using methods ranging from phishing to targeted attacks against organizations that handle card data. A single leak in a checkout integration, a misconfigured firewall, or an unpatched software vulnerability can be enough to compromise your systems.

All parties involved in credit card transactions share the responsibility of protecting cardholder data. Major card brands operate security programs to enforce minimum standards. For example, Mastercard runs the Site Data Protection program and Visa operates the Account Information Security program. PCI DSS was first published in December 2004 as version 1.0 to unify these requirements. Since 2006, the Payment Card Industry Security Standards Council, PCI SSC, has been responsible for updates. The current version is PCI DSS 4.0.1, released in June 2024.

The standard defines requirements that generally apply to all relevant organizations and outlines methods to demonstrate compliance. These include a Report on Compliance or a Self-Assessment Questionnaire. Whether a specific organization must comply or validate compliance is determined by the entities it works with, such as issuers or acquirers. These entities also define penalties for noncompliance, which can reach up to one hundred thousand dollars in severe cases.

What requirements does PCI DSS specify

PCI DSS defines twelve core requirements across six areas:

• Build and maintain a secure network and systems including implementation of controls and secure configuration
• Protect account data both at rest and during transmission over public networks
• Vulnerability management, including protection against malware and maintaining secure systems and software
• Strong access control measures covering restriction of access rights, identification and authentication, and limiting physical access
• Regularly monitor and test networks including access monitoring, logging, and regular security tests of systems and networks
• Information security policy including organizational policies and programs for information security

All requirements apply specifically to systems, components, personnel, and processes that store, process, or transmit cardholder data, collectively called the Cardholder Data Environment (CDE), and systems connected to it.

Requirement 11 in section five is especially relevant. It mandates regular internal and external vulnerability scans and penetration tests to identify, prioritize, and remediate exploitable vulnerabilities. For more details on the differences between scan types and PCI DSS penetration testing requirements, refer to our detailed blog article.

What are PCI vulnerability scans and what is an ASV

Vulnerabilities remain one of the main entry points for attackers and their importance continues to grow. According to the Verizon 2024 Data Breach Investigations Report, the number of incidents where vulnerabilities were the decisive attack vector increased by 180% year over year. In the 2025 report, vulnerabilities accounted for 20% of incidents, surpassing phishing at 16% and ranking just behind credential abuse at 22%.

Organizations seeking PCI compliance must conduct regular vulnerability scans. Since April 1, 2025, this requirement also applies to many online merchants that fully outsource payment processing and otherwise qualify for a type A Self-Assessment Questionnaire. If their website redirects payments or embeds a payment form, they must conduct external vulnerability scans at least quarterly with an ASV.

You might ask, why not scan internally yourself? Internal scanning is required but not sufficient. PCI DSS distinguishes between internal and external vulnerability scans. External scans are performed from outside the network and are critical because externally accessible networks face greater risk. Approved Scanning Vendors ensure quality and reliability. They view your network and systems as an attacker would and use similar methods to identify exploitable vulnerabilities. Penetration tests, on the other hand, simulate real attacks and may be conducted from inside, outside, or both.

ASVs are companies that provide external vulnerability scanning as a service. They are tested by the PCI SSC through a structured evaluation process and approved as ASVs. This approval is renewed annually.

How an external PCI Compliance Scan works

An ASV scan examines your internet-facing systems and domains within or connected to your CDE for potential weaknesses that attackers could exploit. This includes known software vulnerabilities, misconfigurations, and insecure protocols. The scan solution references a CVE database containing all known vulnerabilities with CVSS severity ratings. The goal is to identify vulnerabilities, assess risk, and remediate them. Multiple scan cycles are often required to close vulnerabilities and achieve a passing result.

The organization being scanned must define the scan scope, including CDE-relevant internet-facing components, domains, and IP ranges, and ensure that protective systems or load balancers do not interfere with scanning. The organization must also exercise due diligence when selecting an ASV to ensure the vendor’s reliability, qualifications, skills, experience, and trustworthiness.

Passing an ASV Scan

PCI DSS requires ASV scans at least quarterly and after significant network or system changes. Passing a scan means no medium or high severity vulnerabilities remain. CVSS scores from 4.0 to 6.9 are considered medium, and 7.0 to 10.0 are high severity. When a scan passes, the ASV provides an Attestation of Scan Compliance and a detailed scan report. Failing is not critical. Remediate identified issues and the next scan should pass.

How Outpost24 can help

With over 20 years as a PCI ASV, Outpost24 helps organizations of all sizes achieve and maintain compliance with confidence. Our team of certified PCI professionals supports you at every stage of your compliance journey, from initial visibility to final testing and reporting.

To ensure your security posture is both robust and agile, we offer a streamlined approach built on:

• Confidence and expertise: Leverage two decades of experience to navigate complex audits without the stress.
• Flexibility: Choose between quarterly scanning or continuous monitoring to fit your specific operational needs.
• Find Shadow IT: Identify previously undiscovered components using Outscan PCI, helping you uncover and secure shadow IT across your network.
• Operational efficiency: Our solutions adapt to your requirements, simplifying the process so you stay secure and audit-ready without the manual overhead.

Ready to streamline your compliance? Contact us to speak with an expert or book a demo today.