Reconciling Quarterly ASV and QSA Scanning Requirements

Rebecca Larson, ScanDesk Director, Coalfire

How to address the differing usage of the term “quarterly” by their ASV vendor and PCI DSS QSA.

Quarterly ASV Scans and Timing

In the compliance realm, the term “quarterly” seems to be a sound and straight-forward term used to provide guidance and to aid entities in adhering to requirements. However, it’s meaning can vary based on its context in relation to dealing with various compliance requirements from your ASV and QSA. Here are some guidelines around what you can do to prevent getting snagged in the potential mire of abiding by quarterly scanning requirements.

Quarterly, according to ASV program guidelines, is defined as achieving a passing scan at least once within a 90-day period. From all outward appearances this seems to be up-front, understandable task that can be easily achieved. This is especially so if an entity is following industry best practice by performing monthly ASV scans. The definition of quarterly begins to become problematic when an entity attempts to adhere strictly to ASV guidelines without also considering the PCI SSC’s intent of the term quarterly. Per [PCI SSC FAQ #1087] ( the term “quarterly” is intended to mean “conducted as close to three months or 90 days apart as possible.”

Here is an example scenario:

An entity performs monthly ASV scans, conducts appropriate remediation, and files disputes against applicable findings as defined by their vulnerability management program. The entity achieves a passing ASV scan on January 20. The entity continues scanning monthly in accordance with their vulnerability management program regardless of having achieved a passing quarterly scan on January 20. But, because the entity had easily and early-on achieved a passing scan for Q1, they head into Q2 only loosely following their established vulnerability management program. They do not perform timely remediation and do not file disputes against applicable findings until eventually achieving a second passing ASV scan on June 20.

In this scenario, the entity has by definition achieved ASV compliance by producing two passing scans for two consecutive quarters, even though the two scans were more than 90 days apart (reference: ASV Guide 2.0). However, based upon the guidance presented in PCI SSC FAQ #1087 the entity may be non-compliant during their PCI DSS assessment due to the 5-month gap between passing ASV scans. The entity will be responsible for explaining and justifying the 5-month gap, providing documentation for potential failures in the entity’s vulnerability management program, and any potential failures in the entity’s security policies and procedures.

To steer clear of any potential snags along the road to PCI and ASV compliance, an entity should:

  • maintain a monthly scanning schedule (for example, pick a set recurring date like the 2nd Friday of every month).
  • adhere to documented vulnerability management process and procedures, review and analyze all scan results,
  • perform vulnerability remediation as outlined in accordance with the PCI DSS, and
  • file monthly disputes against any applicable findings.

ASV scans should be conducted not only with PCI DSS compliance in mind, but also with a focus on overall security and industry best practice.

To optimize the return on your scanning investments, as well as to better align your compliance program with corporate security goals, you should maintain scanning best practices that meet compliance requirements. This reduces the burden of needing special exceptions and explanations during assessment, and it upholds a better security posture for the systems and endpoints that require protection. If you’d like to understand more about our ASV or PCI compliance programs, or are concerned about your already existing compliance program, or have further inquiries as they relate to the term “quarterly”, please contact Coalfire for more information.

Rebecca Larson


Rebecca Larson — ScanDesk Director, Coalfire

Recent Posts

Post Topics



Accounting Agency AICPA Assessment assessments ASV audit AWS AWS Certified Cloud Practitioner AWS Certs AWS Summit bitcoin Black Hat Black Hat 2017 blockchain Blueborne Breach BSides BSidesLV Burp BYOD California Consumer Privacy Act careers CCPA Chertoff CISO cloud CMMC CoalfireOne Compliance Covid-19 credit cards C-Store Culture Cyber cyber attacks Cyber Engineering cyber incident Cyber Risk cyber threats cyberchrime cyberinsurance cybersecurity danger Dangers Data DDoS DevOps DevSecOps DFARS DFARS 7012 diacap diarmf Digital Forensics DoD DRG DSS e-banking Education encryption engineering ePHI Equifax Europe EU-US Privacy Shield federal FedRAMP financial services FISMA Foglight forensics Gartner Report GDPR Google Cloud NEXT '18 government GRC hack hacker hacking Halloween Health Healthcare heartbleed Higher Education HIMSS HIPAA HITECH HITRUST HITRUST CSF Horror Incident Response interview IoT ISO IT JAB JSON keylogging Kubernetes Vulnerability labs LAN law firms leadership legal legislation merchant mobile NESA News NH-ISAC NIST NIST 800-171 NIST SP 800-171 NotPetya NRF NYCCR O365 OCR of P2PE PA DSS PA-DSS password passwords Payments PCI PCI DSS penetration Penetration Testing pentesting Petya/NotPetya PHI Phishing Phising policy POODLE PowerShell Presidential Executive Order Privacy program Ransomware Retail Risk RSA RSA 2019 Safe Harbor Scanning Scans scary security security. SOC SOC 2 social social engineering Spectre Splunk Spooky Spraying Attack SSAE State Stories Story test Testing theft Virtualization Visa vulnerability Vulnerability management web Wifi women XSS