PCI Network Vulnerability Scans
All merchants that electronically store payment cardholder data post-authorization or has external-facing IP addresses with Internet connectivity must submit to and complete a network vulnerability scan every 3 months by a PCI SSC Approved Scanning Vendor (ASV).
Approved Scanning Vendors (ASVs) are organizations that validate adherence to PCI DSS requirements by performing vulnerability scans of Internet-facing networks of merchants and service providers. The PCI Security Standards Council has approved more than 130 ASVs so far.
A network vulnerability security scan usually involves automated equipment that conducts a non-intrusive scan to remotely test networks and Web applications based on the external-facing IP addresses provided by the merchant or ASV. The vulnerability scan will identify vulnerabilities in all operating systems, services, and devices that could be used by hackers to exploit a company's private network. Merchants and ASVs must submit network scan reports to meet PCI documentation compliance.