External vulnerability scans must be performed quarterly by which type of vendor?

• A. Any security vendor.
• B. An Approved Scanning Vendor (ASV) approved by the PCI SSC.
• C. Only in-house security team.
• D. Vendor is not required.

Answer: (B)

External vulnerability scans are required to be performed quarterly by an Approved Scanning Vendor (ASV) approved by the PCI Security Standards Council (PCI SSC). The reason this is the chosen approach is that ASVs are vetted and authorized by PCI SSC to use standardized, independent scanning methods. This provides consistent, auditable validation of vulnerabilities on externally facing systems from an outside perspective, which is essential for PCI compliance and for generating reliable evidence for audits and card brands. Using an internal team or any non-approved vendor wouldn’t satisfy the PCI requirement because the scans wouldn’t meet the standardized validation process and approval criteria that PCI SSC mandates.