What is a PCI Approved Scanning Vendor?

Rate this article: 1 Star2 Stars3 Stars4 Stars5 Stars (6 votes, average: 2.33)

PCI DSS affects any organization that accepts payment cards. Turns out that’s most businesses. And it also just so happens that payment cards are a lucrative and enticing target for enterprising cybercriminals. That makes PCI DSS compliance doubly important. Not only are you in line for fines and penalties for non-compliance, but the very relationships that form the foundation of your business – your banking partners, your customers, even your employees – also fray when payment card information isn’t properly protected.

To help safeguard this valuable information as it passes through our hands, PCI DSS Section 11.2 mandates that all organizations undergo quarterly external scanning.

Paraphrasing here, but organizations are to:

  • Scan at least once quarterly
  • Rectify any security issues the scans kick up
  • Provide documentation to the PCI regulatory body

PCI Approved Vendor Scan Requirements

Doing custom, proprietary scans would consume far more time and resources than most organizations have. Not only would you need to build a scanner, you’d need to maintain it with up-to-date threat models and malware tests. There are over 30,000 different types of malware scans alone. Then you’d also have to learn to collect and interpret the data, you’d need to arrive at mitigation strategies and put them into action when the scans inevitably find little vulnerabilities. And you’d have to finish by taking all of that data and compiling it into a readable report at the end of each quarter.

PCI scanning requires that comprehensive vulnerability scans be performed that scan all:

  • external IP addresses
  • web servers
  • devices such as routers and firewalls
  • domain name servers
  • virtual hosts
  • mail servers
  • wireless access points
PCI Approved Vendor Scan Example
A sample PCI scan report.

Found vulnerabilities are then classified as Urgent, Critical, High, Medium, or Low.

That depth of scanning is just not feasible for most organizations. And the PCI planned for that, too. That’s why organizations that collect payment cards must go through one of 97 approved scanning vendors or ASVs. Much like in the PKI industry, these vendors operate under the strictest guidelines and are vetted regularly to ensure they can maintain their trusted status.

It’s those ASVs that foot the cost of PCI scanner development and upkeep. They provide the security intel and guidance. And their software compiles the report. You simply need to submit the documentation at the end.

How Much Does a PCI Approved Scanning Vendor Cost?

Unfortunately, many of these scanning services cost thousands of dollars per year. McAfee’s can cost upwards of $5,000 for a single domain.

Sectigo/Comodo CA operates on the opposite end of the spectrum. HackerGuardian PCI scanner can be purchased for just $81.90 per year and performs all the same functions and fixes as every other ASV scanner.

Save 67% on PCI Scanning

Get Comodo HackerGuardian PCI Scanner for only $81.90/year.

Start Scanning