PCI ASV Scanning

Quarterly PCI ASV scans, managed end to end.

We’re not an Approved Scanning Vendor. We’re the QSAC that manages the scans in partnership with a PCI SSC Approved Scanning Vendor, reviews the findings, and delivers the AOSC report your acquirer wants to see.

Book a 30-minute scoping callGet a fixed-fee proposal
A laptop on a dark wooden desk displaying a glowing network and world-map visualisation, illustrating ongoing vulnerability scanning

What is PCI ASV scanning?

PCI DSS Requirement 11.3.2 mandates that any organisation handling payment-card data runs external vulnerability scans of its internet-facing systems at least every 90 days. These scans must be performed by an Approved Scanning Vendor (ASV) — a vendor listed on the PCI Security Standards Council’s ASV register.

The ASV runs the scan and produces an Attestation of Scan Compliance (AOSC). Our role is to manage the engagement — scope confirmation, scheduling, findings triage, remediation guidance, and the back-and-forth with the ASV so the AOSC you receive is clean, accurate, and ready for your acquirer.

Key facts

PCI DSS requirement
11.3.2
Day scan cadence
90
Vendor type required
ASV
Quarterly deliverable
AOSC

What we do

Four engagement components covering the full ASV scanning lifecycle.

Quarterly scan management

We schedule and run the scans on the cadence PCI DSS Requirement 11.3.2 demands. We handle change windows, retries, and out-of-band scans after significant changes.

Findings triage and false-positive review

Our QSAs triage every finding before it reaches you — false positives are documented and dismissed; real issues come with prioritised remediation guidance.

AOSC delivery

Attestation of Scan Compliance delivered each quarter, ready for your acquirer or QSA. We handle the back-and-forth so you do not have to.

Remediation support

Where vulnerabilities need fixing, we support your team through the change — patch guidance, configuration changes, and re-scan validation.

What gets scanned

Anything internet-facing in your cardholder data environment is in scope for ASV scanning. In practice that breaks down into four categories.

External-facing IPs

Every internet-routable address in your cardholder data environment, including load balancers, web servers, mail servers, and DNS infrastructure.

Public-facing applications

Web applications, APIs, and customer portals that handle or could handle cardholder data, scanned for known CVEs and misconfigurations.

DMZ infrastructure

Bastion hosts, jump boxes, VPN concentrators, and any segmentation control listed in your network diagram.

New systems before go-live

Out-of-band scans for systems being introduced into the cardholder data environment, ensuring they pass before they take live traffic.

How a quarter runs

Scoping happens once. Steps 3 to 5 repeat every 90 days.

  1. 1

    Scoping call

    30 minutes, free

    We confirm your in-scope external IP ranges, hostnames, and any segmentation controls. No commitment to proceed.

  2. 2

    Scope confirmation

    1 week

    You confirm the scope in writing. We document network diagram, change windows, and contingency contact for the scanning windows.

  3. 3

    Quarterly scans

    Quarterly

    Scans run on schedule via our partner ASV. We monitor the scan, handle retries and out-of-band reruns, and log everything for your auditor.

  4. 4

    Findings triage

    3–5 working days

    Our QSA reviews every finding. False positives are documented and dismissed; real findings come with severity, evidence, and remediation guidance.

  5. 5

    AOSC delivery

    1–2 weeks

    You receive the Attestation of Scan Compliance and supporting evidence. We handle dispute and clarification cycles with the ASV on your behalf.

Common findings

The four issues that account for most scan failures we see in the wild.

Missing patches

Operating-system and application patches that have lapsed past the PCI DSS 30-day rule for critical vulnerabilities.

Weak TLS configuration

TLS 1.0 and 1.1 still enabled, weak cipher suites, expired certificates, or hostnames that fail SAN validation.

Web-application gaps

Outdated CMS plugins, exposed admin paths, missing security headers, and known-vulnerable third-party libraries.

Forgotten infrastructure

Test endpoints left in production, deprecated subdomains pointing to live IPs, and orphaned hostnames in DNS.

Why 1 Sequence Cyber

PCI SSC-listed QSAC

Listed on the PCI Security Standards Council website as a Qualified Security Assessor Company. Our QSAs review your scan scope and findings before they reach your acquirer.

CREST DPT alignment

Penetration Testing aligned to the CREST Defensible Penetration Test specification — relevant context for the broader PCI Requirement 11 testing programme that ASV scans sit alongside.

Frequently asked questions

Related services: PCI DSS audits · Penetration Testing.

Ready to schedule your next quarterly scan?

Tell us your scope and your last AOSC date. We’ll come back with a fixed-fee proposal within 48 hours.

Book a 30-minute scoping callGet a fixed-fee proposal

Back to all services.