Global
Belgium
Denmark
Finland
Germany
Malaysia
Netherlands
Norway
Poland
Sweden
UK
India
Middle East
ASV Scanning in compliance with PCI DSS
Holm Security is an Approved Scanning Vendor (ASV) authorized by the PCI Security Standards Council (PCI SSC) to perform external vulnerability scans for organizations that must comply with the Payment Card Industry Data Security Standard (PCI DSS).
PCI DSS requirements
Build & maintain secure networks & systems
Install and maintain network security controls and ensure secure configurations across all system components.
Protect cardholder data
Protect stored account cardholder data with strong cryptography during transmission over open public networks.
Maintain a vulnerability management program
Protect all systems and networks from vulnerabilities with a vulnerability management program.
Implement strong access control measures
Restrict access to system components and cardholder data, identify users and authenticate to system components, and restrict physical access to cardholder data.
Regularly monitor & test networks
Log and monitor access to system components and cardholder data, and regularly test the security of systems and networks.
Maintain an information security policy
Strengthen information security through clear organizational policies and structured programs.
ASV Scanning requirements
Scanning requirements
To achieve compliance, your business needs to identify and remediate all critical vulnerabilities detected during a scan.
Continuous scanning
You must conduct external vulnerability scans at least once every three months using an Approved Scanning Vendor (ASV). Continuous scanning is strongly recommended under the vulnerability management program requirement.
Post-significant change scans
Scans are required after any significant change to your network or system components.
Remediation and rescanning
Your business must address identified vulnerabilities promptly, often within 30 days of discovery, and rescan as necessary to confirm that vulnerabilities have been resolved.
Passing scan criteria
A scan is considered “passing” when no vulnerabilities with a Common Vulnerability Scoring System (CVSS) score of 4.0 or higher are detected.
A complete ASV solution
Scans your internet-facing systems
Using our ASV-certified platform, we scan your internet-facing systems connected to your payment cards.
Identifies vulnerabilities
Identifies vulnerabilities (CVEs) such as misconfigurations, weak services, and outdated software.
Verifies vulnerabilities
Our certified ASV experts verify that vulnerabilities found are exploitable and not false positives.
PCI-compliant scan report
We provide scan reports in accordance with PCI guidelines, demonstrating that your organization has assessed vulnerabilities and applied fixes in a timely manner.
PCI compliance reporting
We sign off on your PCI compliance reports for sharing with PCI or archiving to be shared with PCI upon request.
Looking for an
ASV vendor?
Your trusted partner
Frequently asked questions
What is PCI?
PCI DSS is a global security standard that protects payment card data and applies to any organization that handles card payments. PCI is owned by the payment card industry.
What is PCI DSS?
PCI DSS is the security standard that protects payment card data and applies to any organization that accepts or handles card payments.
What is ASV?
ASV stands for Approved Scanning Vendor. These vendors are PCI-approved to perform required external vulnerability scans for PCI DSS compliance.
Is Holm Security a certified ASV?
Holm Security will soon be a certified ASV vendor and will be able to provide the product and service starting in the third quarter of 2026. Until then, we provide ASV scanning through our partner.
What systems should be scanned with an ASV?
Any external system that serves as a pathway to cardholder data should be included in the scope of ASV scans.
What happens if our organization is not compliant?
Non-compliance with PCI DSS can lead to fines, higher fees, forced audits, loss of card payment capability, and severe consequences if a breach occurs.
What are the PCI DSS merchant levels?
Organizations are classified into one of four compliance levels based on payment card transaction volume during a 12-month period. This includes credit, debit, prepaid, gift, chip, and store value cards that have a logo of a PCI SSC Participating Payment Brand (a PCI SSC member or affiliate).
Each credit card brand can set its own criteria for merchant levels based on a variety of factors, so it’s important to check directly with your acquiring bank or credit card copmany for your appropriate level. Here is an example of merchant levels from Visa and Mastercard:
Merchant level 1
More than 6 million credit or debit card transactions per year.
Requirement: Conduct an annual internal audit and run quarterly approved scanning vendor (ASV) PCI scans.
Merchant level 2
1-6 million transactions annually.
Requirement: Conduct an annual self-assessment. Could be subject to quarterly ASV PCI scans.
Merchant level 3
20,000 to 1 million annual transactions.
Requirement: Conduct an annual self-assessment. Could be subject to quarterly ASV PCI scans.
Merchant level 4
Fewer than 20,000 annual transactions and all other merchants that process up to 1 million transactions each year.
Requirement: Conduct an annual self-assessment. Could be subject to quarterly ASV PCI scans.
What is a Qualified Security Assessor (QSA)?
A QSA assesses and validates PCI DSS compliance, while an ASV performs mandatory external vulnerability scans - they solve different parts of the same compliance puzzle.
How do I get started with ASV scanning?
Reach out today to get started.