How to Choose an Approved ASV Provider in the UK: Compliance Checklist

Choosing an Approved ASV Provider in the UK: Your Compliance Checklist

Finding the right approved ASV provider UK requires more than a Google search. Whether you process Visa, Mastercard, or American Express payments in the UK, selecting a Qualified Security Assessor (QSA) or Approved Scanning Vendor (ASV) that meets PCI DSS 3.2.1, NCSC Cyber Essentials, and ICO GDPR standards is critical. This guide walks you through vetting vendors to ensure your payment systems remain compliant and secure.

Step 1: Verify PCI DSS 3.2.1 Accreditation and QSA/ASV Status

Your first checkpoint: confirm the vendor’s official accreditation. The PCI Security Standards Council maintains a public register of approved service providers. An approved ASV provider must appear on the PCI Council’s approved list.

• Check their certificate: Request their current ASV or QSA certificate and validate the expiry date. Certificates must be renewed annually.
• Review their scope: Ensure they cover your payment network—whether card-present, card-not-present, or e-commerce scanning.
• Assess PCI DSS version support: Confirm they conduct scans aligned with PCI DSS 3.2.1 and understand the transition roadmap toward PCI DSS 4.0 (required by April 2025).

Techtweek Infotech has guided 150+ UK enterprises through ASV selection since 2018, and we always recommend requesting a Rescope or Assessment Summary from your potential vendor—this shows they’ve already vetted your environment’s complexity.

Step 2: Confirm NCSC Cyber Essentials and UK Regulatory Alignment

Beyond PCI DSS, UK law requires you to meet NCSC Cyber Essentials standards (or Cyber Essentials Plus for government contracts). Your ASV must understand and align with these controls:

• NCSC alignment: Your provider should confirm they operate from secure UK or EU data centres (ideally eu-west-2 for latency and compliance). Ask if they’ve undergone NCSC Cyber Essentials assessment themselves.
• ICO GDPR compliance: If your ASV scans systems handling cardholder data that includes PII, they must comply with UK GDPR and the ICO’s Data Protection Act 2018. Verify their Data Processing Agreement (DPA) explicitly covers cardholder data and breach notification timelines (72 hours under ICO rules).
• FCA PS21/3 awareness: If you’re regulated by the Financial Conduct Authority, your ASV should understand operational resilience requirements and incident reporting (especially for payment system failures).

Request their Security Audit Report (SOC 2 Type II) or ISO 27001 certification—these demonstrate maturity in handling UK-regulated environments.

Step 3: Evaluate Service Delivery and Support Standards

Technical accreditation alone doesn’t guarantee excellent service. Assess these operational criteria:

• Scan frequency and scheduling: Do they offer weekly, monthly, or on-demand scans? PCI DSS requires quarterly scans at minimum, plus rescans after changes. Confirm their scanning window aligns with your UK business hours or 24/7 follow-the-sun support.
• Reporting clarity: Request a sample ASV Report on Compliance (ROC) and ensure it clearly maps vulnerabilities to PCI DSS requirements. Does it explain remediation steps in plain English?
• Remediation support: Ask if they offer re-scan guidance or remediation services after vulnerabilities are found. Leading UK ASVs (like Techtweek) include unlimited re-scans during your compliance window.
• UK-based support: Verify they have UK support staff available during business hours. Time zone delays cost money when vulnerabilities block payment processing.
• SLA and uptime: Confirm their scanning platform uptime SLA (ideally 99.9%) and their breach notification SLA under GDPR (24 hours to notify your business; 72 hours to ICO).

Step 4: Pricing, Contract Terms, and Hidden Costs

Compare proposals on total cost of ownership, not just headline price:

• What’s included: Baseline scan pricing should cover unlimited re-scans, quarterly reporting, and vulnerability remediation guidance. Beware vendors charging separately for re-scans or report delivery.
• IP range and scope creep: Confirm pricing for your exact IP range. Some vendors charge per IP or subnet—costs escalate quickly for multi-region UK deployments.
• Contract length: Annual contracts offer better value than month-to-month, but ensure a 30-day exit clause if service quality drops.
• Currency and VAT: Confirm all prices are in GBP and inclusive of UK VAT (20%). Some vendors hide conversion costs.

Techtweek Infotech offers transparent, fixed-price ASV scanning for UK enterprises—no per-IP surcharges, no hidden re-scan fees.

Step 5: Ask the Right Questions Before Signing

Before committing, run this final checklist:

• “Can you provide three UK client references in my sector?”
• “What’s your process if a scan fails or is inconclusive?”
• “Do you handle multi-MID or multi-acquirer environments?”
• “How do you handle emergency re-scans if a security incident occurs?”
• “Is your DPA compliant with UK GDPR, ICO guidance, and FCA operational resilience rules?”
• “What’s your incident response time if your scanning platform is compromised?”

A reputable approved ASV provider UK will answer confidently and provide written evidence. Hesitation is a red flag.

Final Checklist: Your ASV Selection Decision Matrix

Use this simple scoring table before final approval:

• PCI Council accreditation: ✓ Current and verified
• NCSC/ICO/FCA alignment: ✓ DPA signed; SOC 2 or ISO 27001 certified
• UK support availability: ✓ Same-day contact; UK-based team
• Scan delivery and re-scans: ✓ Unlimited re-scans included; 24-hour turnaround
• Pricing transparency: ✓ Fixed GBP cost; no hidden fees
• Client references: ✓ At least two UK references provided and verified

Selecting an approved ASV provider UK is an investment in compliance confidence and payment security. Take time to vet thoroughly—the cost of a breach far exceeds the cost of a premium, trustworthy scanning vendor.

Frequently Asked Questions

What’s the difference between an ASV and a QSA?

An ASV (Approved Scanning Vendor) conducts external network vulnerability scans for PCI DSS compliance. A QSA (Qualified Security Assessor) performs comprehensive PCI DSS assessments including on-site audits. Both must be PCI Council approved; choose ASV for scanning only, QSA for full compliance reviews.

How often must I rescan with an approved ASV provider?

PCI DSS 3.2.1 requires at least quarterly scans (every 90 days) and re-scans after material changes. Best practice for UK payment processors is monthly scans. Your ASV should offer unlimited re-scans during compliance windows.

Do I need NCSC Cyber Essentials before choosing an ASV?

Not mandatory for ASV selection, but ICO and NCSC recommend it. UK enterprises processing payments should align with Cyber Essentials controls. Many approved ASVs now help clients achieve both PCI DSS and Cyber Essentials simultaneously.

What if my ASV provider has a data breach?

Your ASV must notify you within 24 hours and the ICO within 72 hours under UK GDPR. This is why checking their SOC 2 Type II certification and incident response SLA is critical. Request their breach notification procedure before signing.

Can Techtweek Infotech help me choose and implement ASV scanning?

Yes. As an AWS Advanced Consulting Partner, Techtweek advises 150+ UK clients on ASV selection, handles implementation, and provides 24/7 follow-the-sun support. We can also guide you toward PCI DSS 4.0 readiness and NCSC alignment simultaneously.

By Sahil Dubey — Cloud, DevOps & Compliance Architect

Read the full guide: PCI Scanning (External ASV) in UK.