If a merchant is eligible to complete a SAQ-A to report on the results of their compliance assessment, are they required to engage an ASV (approved scanning vendor) to complete external vulnerability scans?
The Merchant must always comply with their Acquirer’s direction.
V3.1 of the SAQ A does not include requirement 11.2.2 Only SAQ A-EP, SAQ B-IP, SAQ C, and SAQ D includes requirement 11.2.2.
The other SAQs do include Part 3a within the Validation and Attestation details and the accompanying AOC (Attestation of Compliance) forms though:The form does not say that this box need be checked though. In fact, the form instructs the signatory to only check all that apply.
So before the merchant’s executive officer signs the Validation and Attestation, they just double check that the ASV scan box is NOT checked.
If we look at a sample Acquirer’s (Moneris) requirements though, we see that they list an ASV scan as a requirement for all Merchant levels and further state:
“PCI DSS requires that all merchants perform external network scanning to achieve compliance (requirement 11.2). Acquirers may require submission of scan reports and/or questionnaires by level 4 merchants. “
Another Acquirer, Beanstream, doesn’t have their criteria on their website, but does indicate that it may not be required.
“we will ask you to complete a PCI DSS self-assessment questionnaire and, only if required, a network scan.”
Visa USA’s site indicates that an ASV scan is required “when applicable”. Presumably, Visa is referring to your Acquirer’s decision.
Ad below this line: