External Vulnerability (ASV) Scans
All entities including merchants, service providers and financial institutions must get a quarterly scan completed to remain compliance with the PCI DSS standards. The table below lists the Quarterly network scan requirements for service providers by region.
Visa USA & CEMEA – Service Provider Levels and Validation Actions
| Level | Description | Validation Action |
|---|---|---|
| 1 | All VisaNet processors (member and non-member) and all payment gateways.* | 1>Annual On-Site PCI Data Security Assessment 2>Quarterly Network Scan |
| 2 | Any service provider that is not in Level 1 and stores, processes, or transmits more than 1,000,000 Visa accounts/transactions annually. | 1>Annual On-Site PCI Data Security Assessment 2>Quarterly Network Scan |
| 3 | Any service provider that is not in Level 1 and stores, processes, or transmits fewer than 1,000,000 Visa accounts/transactions annually. | 1>Annual PCI Self-Assessment Questionnaire 2>Quarterly Network Scan |
*According to Visa, payment gateways are a category of agent or service provider that stores, processes, and/or transmits cardholder data as part of a payment transaction. Specifically, they enable payment transactions (e.g., authorization or settlement) between merchants and processors (VisaNet endpoints). Merchants may send their payment transactions directly to an endpoint, or indirectly to a payment gateway.
Visa Asia/Pacific – Service Provider Levels and Validation Actions
| Service Providers | More than 600,000 Visa transactions per year | Between 120,000 and 600,000 Visa transactions per year | Less than 120,000 Visa transactions |
|---|---|---|---|
| Self assessment questionnaire | Optional | Mandated | Mandated |
| Quarterly network scan | Mandated | Mandated | Recommended |
| Onsite review | Mandated | Recommended | Recommended |
MasterCard – Service Provider Levels and Validation Actions
| Level | Description | Validation Action |
|---|---|---|
| 1 | All TPPs. All DSE’s that store, transmit, or process greater than 1,000,000 total combined MasterCard and Maestro transactions annually. |
1>Annual On-Site PCI Data Security Assessment 2>Quarterly Network Scan |
| 2 | Includes all DSE’s that store, transmit, or process less than 1,000,000 total combined MasterCard and Maestro transactions annually. | 1>Annual PCI Self-Assessment Questionnaire 2>Quarterly Network Scan |
PCI Data Security Standard Compliance for Merchants
| 1 | Any merchant – regardless of acceptance channel – processing more than 6,000,000 Visa transactions per year Any merchant that has suffered a hack or an attack that resulted in an account data compromise Any merchant identified by any card association as Level 1 |
Annual On-Site Security Audit and Quarterly Network Scan |
Independent Security Assessor or Internal Audit if signed by an Officer of the company Qualified Independent Scan Vendor |
| 2 | 1 million – 6 million Visa or MasterCard transactions per year | Annual PCI Self-Assessment Questionnaire and Quarterly Network Scan |
Merchant Qualified Independent Scan Vendor |
| 3 | 20,000 – 1 million Visa or MasterCard e-commerce transactions per year | Annual PCI Self-Assessment Questionnaire and Quarterly Network Scan |
Merchant Qualified Independent Scan Vendor |
| 4 | Less than 20,000 Visa or MasterCard e-commerce transactions per year, and all other merchants processing up to 1 million Visa or MasterCard transactions per year | Recommended Annual PCI Self-Assessment Questionnaire and Quarterly Network Scan |
Merchant Qualified Independent Scan Vendor Note: While compliance is mandatory for Level 4 Merchants, validation is optional but strongly recommended |