Continuous Security

PCI ASV Scanning

Quarterly external vulnerability scans by a PCI SSC Approved Scanning Vendor — scheduled, tracked and reported through Sentry, with rescans at no extra charge until you pass.

A PCI ASV scan is an external vulnerability scan performed by an Approved Scanning Vendor — an organisation approved by the PCI Security Standards Council to conduct scans for PCI DSS compliance purposes. Under PCI DSS Requirement 11.3.2, many merchants and service providers must have these scans run at least quarterly against their internet-facing systems, and must achieve a passing result to maintain compliance.

Blackfoot is an Approved Scanning Vendor, authorised by the PCI SSC, and a PCI QSA company — so the people scoping, running, and supporting your scans understand PCI DSS from the assessor's side as well as the scanner's. Our ASV scanning service makes vulnerability scanning for PCI DSS compliance simple, no matter how complex your environment might be.

While ASV scanning is similar to other types of external vulnerability assessment, it is not interchangeable with them: the scans must follow the PCI SSC's ASV programme requirements, be performed by an approved vendor, and produce a compliant report. Scoping matters just as much — miss part of your cardholder data environment's external perimeter and the attestation may not hold up. That is why our Qualified Security Assessors help define the scope before anything is scanned, based on your unique cardholder data environment.

Why the PCI ASV scan matters beyond the checkbox

While an ASV scan exists to satisfy a compliance requirement, its real value is what it finds: vulnerabilities, misconfigurations, and security weaknesses in your externally facing systems that could lead to the compromise of payment card data. Regular scanning highlights these weaknesses as they occur, supporting rapid remediation, a more secure cardholder data environment, and assurance to your stakeholders and customers that your environment is well maintained and free of high-risk vulnerabilities.

Scans are scheduled, tracked, and reported through the Sentry platform, giving you a clear view of findings, severities, and remediation progress alongside any other Blackfoot testing and scanning services you use. Our experienced security testers are on hand to advise on remediating what the scans find, and where an initial scan reveals failing vulnerabilities, we rescan at no additional charge until you achieve a pass.

Once a passing scan is achieved, we issue your Attestation of Scan Compliance — the ASV scan report you submit to demonstrate compliance with PCI DSS requirements. And because Blackfoot is also a PCI QSA company, the same team can support the rest of your PCI DSS programme, from assessment to audit.

What you get

Meet Requirement 11.3.2

Quarterly external vulnerability scans by a PCI SSC Approved Scanning Vendor, as PCI DSS demands.

QSA-led scoping

Blackfoot's Qualified Security Assessors help define scan scope correctly around your cardholder data environment.

Rescans at no extra charge

If a scan fails, we rescan after remediation until you achieve a pass — included in the service.

Attestation of Scan Compliance

A passing scan concludes with the formal ASV scan report you need for your compliance submission.

Expert remediation support

Our experienced security testers help you understand and fix what the scans find.

Everything tracked in Sentry

Scheduling, findings, severities, and remediation progress in one platform, alongside your other Blackfoot services.

How it works

  1. 01

    Scope identification

    Blackfoot's Qualified Security Assessors work with you to define the scope of the scan, based on your unique cardholder data environment.

  2. 02

    Scan configuration and scheduling

    We configure scanning against the external perimeter of the identified scope and schedule your quarterly cadence in Sentry.

  3. 03

    Scan execution and assessment

    Scans probe your externally facing systems for vulnerabilities, misconfigurations, and security weaknesses, with each finding assessed for severity and potential impact.

  4. 04

    Reporting and remediation

    Comprehensive results land in Sentry with severity levels and recommended remediation steps, and our security testers are on hand to support your fixes.

  5. 05

    Rescan and attestation

    PCI DSS requires rescanning to confirm high-risk vulnerabilities are resolved — which we do at no additional charge. Once you achieve a passing scan, we issue your Attestation of Scan Compliance.

Frequently asked questions

Straight answers to what prospective clients ask us most.

Who needs PCI ASV scans?

PCI DSS Requirement 11.3.2 requires many merchants and service providers that store, process, or transmit payment card data to undertake external vulnerability scans at least quarterly, performed by an Approved Scanning Vendor. Your acquiring bank or your Self-Assessment Questionnaire type determines whether the requirement applies to you — if you are unsure, our QSAs can tell you quickly.

What happens if a scan fails?

A failing scan is not unusual, and it is not the end of the process. You remediate the failing vulnerabilities — with advice from our security testers where you need it — and we rescan at no additional charge to confirm the fixes. The cycle repeats until you achieve a passing result.

What is an Attestation of Scan Compliance?

It is the formal ASV scan report issued once you achieve a passing scan, demonstrating compliance with the PCI DSS external scanning requirement. You submit it to your acquirer or include it in your compliance evidence. Blackfoot issues yours as soon as a passing scan is achieved.

Is an ASV scan the same as a penetration test?

No. An ASV scan is an automated external vulnerability scan run quarterly for PCI DSS compliance; a penetration test is a manual, expert-led exercise that attempts to exploit weaknesses to prove real-world impact. PCI DSS treats them as separate requirements, and many organisations need both — Blackfoot provides both under one roof.

How do I see my scan results?

Scans are scheduled, tracked, and reported through the Sentry platform. You see findings with severity levels and recommended remediation steps as scans complete, and can track remediation progress through to your passing scan and attestation.

Ready to talk about pci asv scanning?

Get a fixed-scope quote, usually the same working day.