top of page
Logo.jpg

PCI DSS Requirement 11.3.2 and ASV Scans for E-Commerce Merchants

  • Dec 23, 2024
  • 4 min read

Updated: May 27

As part of PCI DSS v4.0.1, Requirement 11.3.2 covers external vulnerability scans performed by a PCI SSC Approved Scanning Vendor (ASV). For e-commerce merchants, these ASV scans help assess internet-facing systems for vulnerabilities that could compromise the security of cardholder data.


This requirement is crucial to maintaining PCI DSS compliance and protecting sensitive information in a digital environment, especially where public-facing websites, payment-related systems, APIs, firewalls or web servers could affect the cardholder data environment.


ASV scan checking e-commerce website and external infrastructure

What is an ASV scan?


An ASV scan is a security scan performed by a PCI SSC Approved Scanning Vendor, designed to identify vulnerabilities in internet-facing systems. For e-commerce merchants, the scan normally focuses on public-facing assets that are in scope for PCI DSS or could impact the cardholder data environment.


These systems may include websites, payment-related endpoints, web servers, APIs, firewalls, WAF configurations, public IP addresses and other externally reachable infrastructure that handles cardholder data or could affect payment security.


The ASV scan checks for weaknesses that could potentially be exploited by attackers, such as open ports, outdated software, insecure services, TLS or certificate issues, missing security headers and misconfigurations that could lead to data exposure or data breaches.



Why is an ASV scan required under PCI DSS?


1. Protecting cardholder data

PCI DSS is built around protecting cardholder data from unauthorised access, exposure and compromise. ASV scans support this goal by identifying vulnerabilities in internet-facing systems before attackers can use them as an entry point into the payment environment.


2. Meeting PCI DSS external scan requirements

Under PCI DSS Requirement 11.3.2, external vulnerability scans must be performed by a PCI SSC Approved Scanning Vendor at least every 90 days for applicable internet-facing systems. A passing ASV scan helps demonstrate that externally visible vulnerabilities have been reviewed, remediated and re-tested where needed.


3. Reducing the risk of failed compliance evidence

For e-commerce merchants, the problem is not just running a scan. The scan must be scoped correctly, completed on time and followed by remediation when findings appear. If vulnerabilities remain unresolved, the merchant may not have the evidence needed for a clean PCI DSS validation process.




When is an ASV Scan Required?


According to PCI DSS v4.0.1, Requirement 11.3.2, ASV scans are required under the following circumstances:


  1. Quarterly Scans: Merchants must conduct ASV scans at least every 90 days (quarterly). This ensures that externally visible vulnerabilities are regularly assessed and remediated. The scan must be completed with status "Pass" at least once every 90 days.

  2. Changes in the Environment: If there are any significant changes in the merchant’s IT environment, such as system upgrades, changes to network architecture, firewall or WAF changes, new public IP addresses, or the introduction of new software or hardware that may affect the security of payment systems, a new external scan should be conducted. These changes could inadvertently introduce new vulnerabilities, which is why it is important to run an updated scan whenever such changes occur.

  3. Prior to Submitting PCI DSS Compliance: Merchants that are required to provide ASV evidence should have a current passing ASV scan before submitting their Self-Assessment Questionnaire (SAQ), Report on Compliance (ROC) or other PCI DSS validation evidence. This helps show that the applicable external systems have been scanned, failing vulnerabilities have been addressed and the ASV Program Guide requirements for a passing scan have been met.

  4. After Significant Vulnerabilities Are Remediated: After vulnerabilities are identified through an ASV scan and addressed, merchants must conduct follow-up scans to ensure that the fixes have been successfully implemented and that the vulnerabilities have been closed. These rescans are important because the final goal is a passing ASV scan, not simply evidence that a scan was attempted.


If you need help confirming scope, running the external scan or resolving failed findings, nabu provides a dedicated PCI external scanning service for merchants and service providers.


PCI DSS Requirement 11.3.2 ASV scan for e-commerce systems

How Does an ASV Scan Benefit E-Commerce Merchants?


  1. Increased Customer Trust: By regularly performing ASV scans and resolving identified vulnerabilities, e-commerce merchants show their commitment to securing customer payment data. This can help build trust with customers, knowing their payment information is being handled within a more controlled and regularly tested environment.

  2. Avoidance of Fines: Failing to comply with PCI DSS can lead to significant fines or penalties, as well as increased scrutiny from payment processors, acquirers and card brands. Regular ASV scans help merchants stay on track with their compliance obligations and reduce the risk of missing required external vulnerability scan evidence.

  3. Improved Security Posture: ASV scans are a proactive way to identify vulnerabilities in a merchant's external environment before they can be exploited. Regular scanning helps ensure that security weaknesses such as exposed services, outdated software, insecure configurations and missing controls are identified and fixed promptly, reducing the risk of a data breach.



Conclusion


For e-commerce merchants, the requirement to run ASV scans under PCI DSS Requirement 11.3.2 is not just a compliance obligation; it is a critical security measure to protect customer data and reduce the risk of cyber threats. These scans, performed at least every 90 days or after significant changes to the IT environment, help ensure that externally visible vulnerabilities are identified and remediated promptly.


To support PCI DSS compliance, merchants must not only complete ASV scans but also address vulnerabilities identified in the scans and complete follow-up rescans where needed to achieve a passing result. This approach can reduce the risk of data breaches, support PCI DSS validation and strengthen long-term customer trust.



For organisations preparing for PCI DSS ASV external scanning, nabu’s ASV scanning service can help confirm scope, run the external scan and support remediation before your next quarterly deadline.


Contact nabu to discuss your next ASV scan or quarterly PCI DSS scanning requirements.

bottom of page