ASV Scans of Mobile Application

ASV scanning (PCI DSS Requirement 11.3.2) is also needed for mobile applications:

“All publicly accessible applications — including backend systems that mobile apps communicate with — must undergo ASV scans.”

Why is this required? Because:

1. Requirement 11.3.2 (PCI DSS v4.0.1) mandates:

External vulnerability scans are to be performed at least once every three months … on all externally accessible (Internet-facing) system components that are part of the cardholder data environment (CDE), or that provide a path to the CDE.

Even if the mobile app doesn’t process PAN directly, its backend APIs are Internet-facing and mediate the payment flow, making them in-scope.

2. According to the PCI SSC “Resource Guide: Vulnerability Scans and Approved Scanning Vendors”:

“ASV scan requirements in SAQ A apply … to e‑commerce merchant systems that host the webpage or embedded payment page/form … The intent is … scanning for vulnerabilities that could potentially expose their link to the TPSP’s payment page.” (blog.pcisecuritystandards.org).

Replace “webpage” with “backend API” — the principle is identical: if it’s Internet-facing and tied to payment, it requires scanning.

3. The PCI Approved Scanning Vendor Program Guide (v4.0r2) defines “Internet-facing system components” as all hosts that can be reached externally and are part of or provide a path to the CDE.

That includes the backend servers — they are scannable assets under the ASV Program.

See further information in the Resource Guidance about Application Servers, DNS Servers, Web Applications and Web Servers.