Meet PCI DSS requirements with PCI ASV scanning for your external attack surface

PCI ASV scanning is a mandatory quarterly audit performed by a council-approved vendor to identify vulnerabilities in your internet-facing systems. It is required by PCI DSS because your external perimeter is the primary target for data breaches. By fixing flaws with a CVSS score of 4.0 or higher, these scans provide objective, third-party proof that your network is secure, helping you stay compliant while keeping both hackers and hefty bank fines at bay.

Detectify partners with Clone Systems, a PCI-Approved Scanning Vendor (ASV), to deliver PCI ASV scans through your Detectify account. You don't need a separate Clone Systems account since everything is managed inside Detectify.

Here's what happens behind the scenes:

1. You add the public-facing assets you want scanned (domain, IP or ip range) and choose a scan frequency (monthly, or quarterly).

2. Detectify sets up the scan with Clone Systems automatically.

3. Clone Systems runs the scan from their certified ASV scanners on the schedule you picked.

4. When the scan completes, Detectify pulls in the reports, including the official Attestation of Compliance, an Executive Summary, a Detailed Findings report, and a Remediation report and makes them available for download in your Detectify dashboard.

5. If a scan comes back non-compliant, you can fix the issues and trigger a manual rescan from Detectify.

A PCI ASV scan looks at everything an external attacker on the internet could see and probe. That includes:

• Outdated software with known security flaws (web servers, operating systems, frameworks, CMS plugins, etc.).

• Weak or outdated encryption, old TLS/SSL versions, weak ciphers, expired or invalid certificates.

• Open ports and unnecessary services exposed to the internet.

• Web application vulnerabilities like SQL injection, cross-site scripting, directory traversal, and exposed admin areas.

• Default or weak credentials on internet-facing services.

• Misconfigurations, verbose error pages, directory listings, exposed backup or .git files, missing security headers.

Each finding is scored against the PCI DSS rules. Anything serious enough (CVSS 4.0 or higher, with a few specific exceptions defined by the PCI Council) will cause the scan to fail compliance until it's remediated.

No. PCI ASV scans are deliberately external and unauthenticated. They simulate what an attacker on the internet would see, without any inside knowledge. You don't share usernames, passwords, SSH keys, or VPN access.

The only things you need to do:

• Provide the public domain or IP address of every internet-facing system that's part of your cardholder data environment.

• Make sure your firewall / WAF / IPS allows the Clone Systems scanners to reach those assets. If their traffic is blocked or rate-limited, the scan can't be completed properly. (Detectify can share the scanner IP ranges to allowlist.)

 That's it! Once those are in place, scans run automatically on the schedule.

You must perform a passing ASV scan at least once every 90 days, regardless of any other activity. If a significant change occurs, such as a firewall update or network reconfiguration, you are required to run an additional scan immediately to validate security, even if your scheduled quarterly scan was recently completed. These event-driven scans do not reset your 90-day deadline; you must still maintain four passing quarterly scans per year. This dual-layered approach ensures that your compliance remains continuous and that no new vulnerabilities are introduced during environment updates. Achieving a "Pass" requires remediating all vulnerabilities with a CVSS score of 4.0 or higher.

Failing a scan is normal. Most organisations don't pass on the first try, and PCI explicitly allows for it. Here's what to expect:

1. You get a detailed report showing every failing vulnerability, its severity, the affected host, and remediation guidance.

2. Fix the issues, patch software, update TLS configs, close unnecessary ports, etc.

3. Run a rescan from Detectify once you've remediated. There's no extra charge or waiting period; you can rescan as often as you need within your scan window.

4. Repeat until you pass. Only a passing scan produces an Attestation of Compliance you can submit to your acquiring bank or QSA.

For PCI DSS compliance, you need a passing scan at least once every 90 days, so as long as you remediate and pass before that window closes, a single failure isn't a problem. If a finding is a false positive or doesn't actually apply to your environment, you can dispute it through Detectify and Clone Systems' ASV team will review it.

Most traditional ASV providers give you a standalone PCI portal, separate login, separate dashboard, separate workflow from the rest of your security tooling. Detectify is different in a few ways:

• One platform for everything. PCI ASV scans live alongside Detectify's continuous attack surface monitoring and vulnerability scanning, so you get a single view of your external security posture instead of switching between tools.

• Built into your existing Detectify workflow. Same dashboard, same asset inventory, same notifications, no parallel system to learn or maintain.

• Modern, automation-first. Traditional ASVs are often built around manual portal use. Detectify is API-driven, so scans, results, and reports can be pulled into your own tooling.

• Continuous context. Because Detectify already monitors your attack surface continuously, you have visibility into changes between PCI scans, not just the snapshot every 90 days.

The ASV certification itself comes from Clone Systems (a long-established PCI-approved vendor), so you get the same compliance-grade scanning the PCI Council requires, delivered through a more modern experience.

Yes, automation is one of the main reasons customers choose Detectify for PCI ASV.

• Scans run on a schedule automatically. Once you've configured a profile (monthly, or quarterly), you don't need to start scans manually. Reports appear in your dashboard when they're ready.

• API access. Detectify exposes an API, so you can list profiles, fetch scan results, download reports, and trigger rescans programmatically which is useful for tying compliance status into your own dashboards or audit tooling.

• Notifications. You can be alerted when a scan completes, when results change, or when remediation is needed, so PCI status feeds into the same channels (email, Slack, ticketing) your team already uses.

• CI/CD and ticketing fit. Because results are accessible via API, teams commonly auto-create Jira tickets for new findings, fail builds on regressions, or post compliance status to internal portals.

In short: you can run PCI ASV as a fully automated, hands-off compliance process and only get involved when something actually needs remediation.

You will receive an AoSC report to showcase your scan compliance, this is a mandatory document for a bank or acquirer. Detectify also provides high level summaries for leadership as well as granular technical data for security teams. You will also receive a remediation report, with actionable steps to fix vulnerabilities in order to reach a passing status.

In normal circumstances, no, PCI ASV scans are designed to be safe to run against production systems, and that's how the vast majority of customers run them.

A few things worth knowing:

• Non-intrusive by design. ASV scans are required by the PCI Council to be non-disruptive. They probe and fingerprint services rather than actively exploiting them, so they won't crash systems or alter data.

• Light traffic load. Scans generate some additional traffic, but it's modest compared to normal user load. Most customers run scans during business hours without anyone noticing.

•  Watch your defenses. The most common "impact" customers see isn't from the scan itself, it's from their WAF, IPS, or rate-limiter mistakenly blocking the scanner. This doesn't cause downtime, but it can cause the scan to fail or under-report findings. Allowlisting the Clone Systems scanner IPs prevents this.

• Off-hours scheduling. If you'd prefer extra caution, you can schedule scans during low-traffic periods.

• Fragile or legacy systems. Very old or sensitive systems can occasionally behave unpredictably under any kind of probing. If you have specific concerns about a particular host, let us know and we can advise.

In short: scans are built to be production-safe, and downtime is extremely rare. The main thing to plan for is making sure your security controls don't block the scanner.