PCI ASV Scanning
Detectify PCI ASV Scanning is an external compliance scanning tool that helps you meet PCI DSS requirements for internet-facing systems. Delivered in partnership with Clone Systems — a PCI SSC-certified Approved Scanning Vendor (ASV) — this feature lets you manage your compliance status directly within the Detectify interface.
What is PCI DSS?
The Payment Card Industry Data Security Standard (PCI DSS) is a global security mandate created to protect cardholder data and prevent fraud. It is managed by the PCI Security Standards Council (PCI SSC), founded by major card brands including Visa, Mastercard, and American Express.
Any entity that stores, processes, or transmits cardholder data — or can impact the security of that data — must comply with PCI DSS.
Why ASV Scanning is Required
PCI DSS 4.0 Control 11.3.2 mandates that all internet-facing systems within the cardholder data environment undergo external vulnerability scans performed by a certified Approved Scanning Vendor (ASV).
These scans must be performed at least every 90 days, and the resulting Attestation of Scan Compliance (AoSC) serves as official proof of compliance required by banks and payment processors.
Who Needs ASV Scanning?
If your organization processes card payments through providers like Stripe, Adyen, Braintree, Checkout.com, or Worldpay, you are classified as a merchant and must maintain PCI DSS compliance.
| Category | Integration Type | External ASV Scanning | PCI DSS 4.0.1 Internal Scanning |
|---|---|---|---|
| SAQ A | Full Redirection (e.g., Stripe Checkout) | ~30 security controls + ASV Scans | Not affected |
| SAQ A-EP | Direct Iframe/API on site | ~190 security controls + ASV Scans | Affected |
| SAQ D | Raw Card Data Storage/Processing | 329+ controls + ASV Scans | Affected |
| Service Providers | Processing on behalf of others | Full SAQ D + ASV Scans | Affected |
Non-compliance can trigger automated monthly fees, revenue surcharges, payout freezes, and lost enterprise contracts during procurement.
| Merchant Level | Annual Transactions | Typical Impact |
|---|---|---|
| Level 4 | Up to 20,000 | Non-compliance fees of €20–€100/month |
| Level 3 | 20,000 – 1 million | Fines of €1,000–€10,000/month |
| Level 2/1 | Over 1 million | Mandatory audits, fines of €10,000–€100,000/month |
PCI DSS 4.0.1: Meeting the Internal Scanning Mandate
As of 31st of March 2025, PCI DSS 4.0.1 requires organizations to perform internal vulnerability scans (Requirement 11.3.1) that cover both the application layer and the OS/infrastructure layer. No single tool covers both — a combination approach is needed.
Internal Scanning Responsibility Matrix
| Layer | Responsibility | Scanning Method | Detectify Coverage |
|---|---|---|---|
| Application Layer | Custom code, APIs, Logic | DAST (Authenticated) | Yes |
| OS Layer (11.3.1.2) | Linux/Windows, Registry, Patches | Credentialed Network Scan | No |
| Infrastructure | Physical Servers, Hypervisor | AWS Internal Audits or similar | N/A |
Pro tip: Use Detectify Application Scanning for the application layer and pair it with a host-based scanner like AWS Inspector for the OS layer. Together, they provide full coverage for the internal scanning mandate.
Key Capabilities
- Scan profile management — Create and manage scan profiles for your domains and IP addresses directly in the Detectify UI
- Flexible scheduling — Set scan start dates, times, and frequencies (monthly or quarterly)
- Compliance dashboard — View pass/fail results, track capacity usage, and monitor compliance status at a glance
- Compliance-ready reports — Download AoSC, Executive, Detailed, and Remediation reports for auditors and payment processors
- Automated notifications — Receive email alerts when scans complete
- Audit trail — Access a complete history of all scans and reports per profile