What is an Approved Scanning Vendor?

An ASV is an organisation or entity that is qualified by the Payment Card Industry Security Standards Council (PCI SSC) to conduct external scanning to assess the vulnerability of a client organisation.

In partnership with the approved ASV company Qualys Inc., IntaForensics utilise the Qualys Cloud Platform to offer an ASV scanning service for PCI DSS customers.  Vulnerability scanning and remediation services are delivered by IntaForensics consultants with the final attestation provided by Qualys Inc.

The purpose of the Program is to validate adherence with the external scanning requirements of PCI DSS requirement 11.2.2.

As a PCI SSC accredited Qualified Security Assessor (QSA) Company, IntaForensics are very experienced in the review of payment processing environments and the provision of relevant, focused and valued advice/recommendations.

What will the process look like?

IntaForensics utilise a cloud-hosted scanning platform to perform an in-depth vulnerability scan against external hosts and perimeter firewalls of the customers Cardholder Data Environment (CDE).

  • Once per quarter, IntaForensics specialist staff run an initial vulnerability scan against the required host addresses / domain names
  • Remediation requirements which score above a CVSS score 4.0 or higher will be reported to the customer to be resolved
  • IntaForensics will provide telephone and email support up to a maximum of 2 hours.  Remediation requiring more extensive support will be delivered on a consultancy basis if required
  • Following remediation, a further scan is run to confirm that any remediation is effective
  • Once a passing PCI Scan has been reached, the scan is submitted to Qualys Inc. ASV team for attestation.  This will be completed and returned within 48 hours

5 IP addresses per quarter are comprised in the service cost, which includes the initial scan and a follow up re-scan if remediation work is required.

ASV Scan Requirements

ASV scans are mandated for organisations based on PCI DSS requirements for external vulnerability scans.  If your Self-Assessment or on site assessment has identified that requirement 11.2 of the current PCI DSS standard applies to your CDE, quarterly external scans are required.

If you are currently self-assessing against PCI DSS and are unsure if ASV scans are required, please speak to our QSA Team who can provide assistance with SAQ selection and identifying applicable requirements.

ASV Scanning Service


  • Fixed price of £900.00 (+VAT) for up to 5 IP addresses
  • 4 Quarterly scans and 4 free re-scans per IP address
  • Remediation and support service via email and telephone, for up to 2 hours per quarter


  • Payment taken for the ASV Scanning Service for 12 months
  • Customer provides a signed confirmation granting permission for IntaForensics to scan externally hosted addresses.  Scanning of devices hosted in third-party managed environments will require additional confirmation to be sought from the hosting provider
  • IntaForensics will verify that the scope provided is accurate
  • Initial scan date agreed, and three further quarterly dates scheduled on service commencement
  • Customer will be contacted by IntaForensics staff, prior to the scan commencement to confirm

Purchase Now


Contact Our Team Now!

Enquire Now!


Essential Downloads

You now understand the importance of Cyber Essentials Certification. Now its time to get approval. Take the hassle out of Business Cases and download our template now.Download Now

Working in or own an SME? Just starting your journey to effective Cyber Security? Start your journey the right way with our Quick Guide for SMEs.
Download Now

One of the most important parts in effective Cyber Security is educating staff but there isn’t always time. Why not download our guide to Email Security?   Download Now

Internet browsing is now a staple of our online lives. But very few understand the risks of simple browsing. Browse safely with a few simple steps.Download Now