PCI Scanning Guide 2026: ASV & Authenticated Internal Scans

When someone searches for a PCI scan, PCI scanning, ASV scan, PCIASV scan or PCI compliance, they are usually looking for two things: a clear explanation of the scanning requirements and a trusted service provider. Payment Card Industry Data Security Standard (PCI DSS) requirements protect cardholder data by mandating regular vulnerability scanning and other security controls. PCI DSS version 4.0.1 (which became fully effective for all merchants on 31 March 2025) tightened those requirements.

Businesses that process or store payment card data must now demonstrate passing external scans performed by an Approved Scanning Vendor (ASV) at least every three months[1][2], and internally authenticated scans plus testing after network changes[3]. Nonโ€‘compliance can result in significant financial penalties and reputational harm: for example, UC Santa Cruzโ€™s guidance warns that payment card brands may levy fines of up to $500,000 per incident for breaches and that the cost of customer notification and lost business can far exceed that amount[4].

Clone Systems, a longโ€‘standing PCI Approved Scanning Vendor, helps merchants and service providers meet these requirements by offering a comprehensive, selfโ€‘service scanning platform, unlimited rescans and reseller programs. This guide answers common questions about PCI scanning, explains the latest framework updates, and shows why Clone Systemsโ€™ solutions stand out.

What is PCI compliance scanning?

PCI compliance scanning refers to testing systems and networks for security vulnerabilities to ensure adherence to PCI DSS. An ASV scan examines an organizationโ€™s externally facing network or website from the outside to verify compliance and highlight potential dataโ€‘security challenges[5]. A scan identifies known vulnerabilities, misconfigurations and exposures that could be exploited by attackers.

Key points:

  • Who needs to scan? Merchants and service providers within the scope of PCIย DSS must conduct vulnerability scans. The requirement for external scans by an ASV applies to all merchants, including those completing Selfโ€‘Assessment Questionnaireย A[1].
  • Who performs the scans? PCIย DSS requires organizations to use an Approved Scanning Vendor (ASV)โ€”a thirdโ€‘party security provider approved by the PCIย Security Standards Councilโ€”to conduct external vulnerability scans[6]. Internal vulnerability scans may be performed by qualified internal personnel, but external scans must be performed by an ASV to be accepted by acquiring banks.
  • What happens after scanning? The ASV issues an Attestation of Scan Compliance (AoSC) that documents the scan results. Organizations must fix identified vulnerabilities and request a retest until they receive a passing AoSC[7].
  • How often? External scans must be performed at least quarterly and after significant changes[2]; internal scans should be authenticated and use sufficient privileges[3]. External scanning requirements now extend to merchants completing SAQย A and remain mandatory for all other merchants[1]. Penetration testsโ€”deeper, manual assessmentsโ€”must be performed annually and after any significant infrastructure or application changes[8].

What is an Approved Scanning Vendor (ASV)?

An Approved Scanning Vendor is an organization authorized by the PCI Security Standards Council to perform external vulnerability scans. Before an ASVโ€™s scanning solution is approved, it is tested and validated by the PCI SSC[9]. The ASV scans externally facing IP addresses and domains to identify vulnerabilities and then issues the official Attestation of Scan Compliance[10].

Important points:

  • Verification: Always verify that your scanning provider is listed on the PCIย SSCโ€™s current ASV list.
  • Quarterly scans: ASVs must perform scans at least once every three months, and merchants must resolve highโ€‘risk vulnerabilities and undergo rescans until passing[2].
  • Unlimited rescans: Some ASVs, like Cloneย Systems, include unlimited rescans; others charge extra for each rescan[11].

How PCI DSS 4.0.1 changed scanning requirements

PCI DSS 4.0.1 introduced updates that affect vulnerability scanning:

ChangeDescription & citation
SAQ A merchants now need ASV scansPCI DSS v4.x extended Requirement 11.3.2 to Selfโ€‘Assessment Questionnaire A merchants to address breaches targeting eโ€‘commerce merchants. Evidence of passing external scans conducted by an ASV at least once every three months is now required[1].
Authenticated internal scanningRequirement 11.3.1.2 requires internal vulnerability scans to use authenticated scanning techniques, meaning the scanner must log in to systems using credentials to provide deeper insight[3].
Emphasis on continuous scanning and segmentationPCI DSS 4.0 stresses continuous security validation. Regular scans must be supplemented with scans after significant changes and segmentation testing to ensure that cardholder data is isolated[12].
Documentation and remediationThe University of South Carolinaโ€™s penetrationโ€‘testing standard states that all exploitable vulnerabilities identified during testing must be corrected and a retest requested to confirm the issues are resolved[7]. It also requires final reports and remediation results to be retained for at least three years[13].

These changes underscore the need for proactive vulnerability management rather than a onceโ€‘perโ€‘quarter โ€œcheckboxโ€ approach.

Choosing an ASV: what to look for

While all ASVs are approved by the PCI SSC, the quality of service can vary. Consider the following when selecting a provider[14]:

  1. Approval status and reputation: Verify that the provider is listed as an ASV and check its history of successful scans.
  2. Reporting clarity: Scan reports should clearly indicate vulnerabilities, severity and remediation steps.
  3. Rescan policy: Unlimited rescans help ensure you can remediate without incurring extra costs[11].
  4. Support and expertise: Access to knowledgeable engineers who can help interpret results is crucial, especially for small organizations.
  5. Integration with other services: Some ASVs offer penetration testing, segmentation testing and managed security services, which can simplify your security stack[15].

Why Clone Systems?

Clone Systems is a PCI Security Standards Councilโ€“approved ASV that has provided scanning services for over 18 years[6].

Key benefits for merchants[16]

  • Unmatched security: Cloneย Systems employs advanced encryption, segmentation testing and vulnerability management to protect your business and customers[17].
  • Comprehensive coverage: Quarterly ASV scans, authenticated internal scanning, selfโ€‘assessment questionnaires (SAQs), penetration testing and inโ€‘depth vulnerability scanning cover all PCIย DSSย 4.0.1 requirements[17].
  • Simplified compliance: A userโ€‘friendly online portal allows you to schedule and run scans every 90ย daysโ€”or as often as you like[18]. You get detailed remediation steps and unlimited rescans so you can fix issues and retest without extra cost[11].
  • Reporting and documentation: Executive, detailed and attestation reports with ASV certification numbers meet bank reporting requirements, and the portal includes SAQ forms[19].

Options for resellers and partners[20]

  • Revenue growth: Cloneย Systems offers whiteโ€‘label and API programs so hosting providers, payment processors and security firms can offer branded PCI compliance services[20].
  • Dedicated support: Resellers receive training, sales tools and technical support to help them succeed[20].
  • Futureโ€‘proof compliance: Cloneย Systems keeps partners ready for the Marchย 31ย 2025 (now past) requirements and future updates[21].

What makes Clone Systems stand out?

  • Unlimited scans at no extra cost: You can scan as frequently as needed to ensure vulnerabilities are fixed and deadlines are met[22].
  • Selfโ€‘service portal: The intuitive interface lets you schedule scans, view results, run SAQs, download AoSC reports and manage remediation from one place[23].
  • Direct online purchasing: Cloneย Systems offers an online cart for immediate orders of PCI scanning, penetration testing and other services, making it easy for merchants to get started quickly.
  • Reseller and referral programs: Partners can integrate Cloneย Systemsโ€™ scanning engine into their own offerings or refer customers for commission, enabling flexible business models.

Answering the top questions merchants ask

What is the difference between a vulnerability scan and a penetration test? A vulnerability scan is an automated highโ€‘level test that looks for potential security vulnerabilities[24] and identifies externallyโ€‘accessible assets and services that are vulnerable to common attacks[25]. A penetration test is a manual, inโ€‘depth exercise that mimics the techniques adversaries use to gain unauthorized access[25] and digs deeper to identify the root cause of vulnerabilities[24]. PCI DSS requires both: external vulnerability scans at least quarterly[1] and penetration tests annually and after significant changes[8].

How often should I scan? PCI DSS requires external scans by an ASV at least once every three months and after significant changes[2]. Best practice is to scan monthly or continuously to identify new vulnerabilities early. Clone Systemsโ€™ unlimited scans make this feasible.

Do I really need scans if I use a hosted payment page (SAQ A)? Under PCI DSS 4.0.1, even SAQ A merchants must provide evidence of passing ASV scans at least quarterly[1]. This addresses a rise in attacks that exploit links between merchant sites and thirdโ€‘party payment processors.

What happens if I fail a scan? You must remediate the vulnerabilities and rescan until you achieve a passing result. Clone Systems includes unlimited rescans, so you donโ€™t pay extra for retesting[11].

Getting started with Clone Systems

  1. Assess your requirements: Determine whether your payment environment stores, processes or transmits cardholder data. Even if you use a hosted payment page, check if SAQย A applies and whether external scans are still required.
  2. Create an account and buy online: Visit Cloneย Systemsโ€™ PCI compliance scanning page. You can purchase a plan directly through the online cart or contact sales for a custom quote. Merchants can choose between singleโ€‘IP packages or multiโ€‘site bundles, while resellers can enroll in whiteโ€‘label programs.
  3. Add targets and schedule scans: Use the portal to add your public IP addresses or domains. Schedule your first scan and set reminders for quarterly scans.
  4. Review results and remediate: After the scan completes, download the report and address any identified vulnerabilities. Cloneย Systemsโ€™ platform provides guidance on remediation steps[11].
  5. Rescan until you pass: Once remediation is complete, run a rescan. Repeat as necessary until you achieve a passing AoSC. Unlimited rescans ensure you stay compliant without extra fees[22].
  6. Maintain documentation: Keep your AoSC and related reports on file. Document remediation activities and retain records for auditorsโ€”best practice is to retain final penetration test reports and remediation results for at least three years[13].

Conclusion

PCI DSS 4.0.1 places a strong emphasis on continuous vulnerability management. External scans by an Approved Scanning Vendor are now required for all merchants, including those completing SAQ A, and internal scans must be authenticated. Choosing a reliable ASV with clear reporting, unlimited rescans and strong support is essential.

Clone Systems offers a comprehensive PCI scanning solution that not only satisfies compliance requirements but also improves your overall security posture. Its selfโ€‘service portal, unlimited scans, and reseller programs make it an ideal partner for merchants and service providers seeking to simplify compliance and protect cardholder data.

[1] Resource Guide: Vulnerability Scans and Approved Scanning Vendors

https://blog.pcisecuritystandards.org/resource-guide-vulnerability-scans-and-approved-scanning-vendors

[2] [3] Microsoft Entra ID and PCI-DSS Requirement 11 – Microsoft Entra | Microsoft Learn

https://learn.microsoft.com/en-us/entra/standards/pci-requirement-11

[4]  PCI-DSS: Security – Penalties

https://financial.ucsc.edu/pages/security_penalties.aspx

[5] [6] [9] [22] Approved Scanning Vendor (ASV) – Clone Systems, Inc.

Approved Scanning Vendor (ASV)

[7] [8] [13] penetration_testing_standard.pdf

https://sc.edu/about/offices_and_divisions/division_of_information_technology/security/docs/penetration_testing_standard.pdf

[10] [12] [14] [15] What Is an Approved Scanning Vendor (ASV) – And Why They Matter for PCI DSS 4.0.1 – Clone Systems, Inc.

What Is an Approved Scanning Vendor (ASV) – And Why They Matter for PCI DSS 4.0.1

[11] [16] [17] [18] [19] [20] [21] [23] PCI Compliance Scanning – Clone Systems, Inc.

PCI Compliance Scanning

[24] Vulnerability Scan | Mass.gov

https://www.mass.gov/how-to/vulnerability-scan

[25] Services | CISAhttps://www.cisa.gov/stopransomware/services

Similar Posts