Best PCI ASV Companies in 2024: Reviews & Pricing

There are a total of 85 ASV companies listed on the PCI SSC website. Of the 85 ASV companies listed a majority of them are located in the U.S. The rest of the ASV companies are located in various countries around the world catering to that specific geolocation. 76 ASV companies listed in the PCI SSC’s list serve global locations. So which ASV should you choose?

Some companies are well-known within the security world due to their other product listings. Some of the most well-known, and popular, ASV companies are as follows:

#1. Qualys

Product: Qualys PCI

Qualys is one of the largest vulnerability scanning platforms available. Qualys was founded in 1999 and has more than 10,000 subscription customers worldwide in more than 130 countries. They also have strategic partnerships with Microsoft Azure, AWS, and Google Cloud.

Pros

• Based in the United States
• Serves globally
• Cloud-based
• Intuitive and customizable dashboard
• Unlimited on demand scans
• Offers multiple services
• Flexible scan scheduling
• Offers support
• Strong reputation
• Highly rated

Cons

• Price per IP address

#2. Sectigo

Product: HackerGuardian

Sectigo has over 700K+ businesses using their platform. Primarily being in certificate management as a Certificate Authority, Sectigo is one of the world’s largest and longest-standing CA.

Pros

• UK-based for European entities
• Unlimited on demand scans
• Flexible scan scheduling
• Offers support
• Price
• Serves globally

Cons

• No security trust seal

#3. Tenable.io

Product: Tenable.io PCI ASV Service 2022

Tenable was founded in 2002 and has over 40K customers worldwide. Tenable’s product Nessus is one of the most popular vulnerability scanning applications in the world.

Pros

• Based in the United States
• Serves globally
• Cloud-based
• Strong Reputation
• Highly rated
• Offers support

Cons

• Scan schedule flexibility
• Price per IP

#4. GM Security Technologies

Product: FirstFire v1.4

GM Sectec has over 50 years of experience in IT and technology. Their services primarily focus on cybersecurity, governance, and compliance solutions, and services are focused on managing digital risks. They are a worldwide company with operations in over 50 countries.

Pros

• Based in the United States
• Utilizes deep learning for vulnerability detection
• Combined service with vulnerability management, PCI ASV, Attack Surface Management, and more.
• Cloud-based
• Multiple scanning types (active scanning, agent scanning, passive monitoring, cloud connectors.

Cons

• Unknown pricing

#5. Optiv

Product: PCI ASV Scanning Portal

Read Full Profile & Review

Optiv is a more hands-on security provider. They work alongside their clients to manage cyber risk and equip them with perspectives and programs to accelerate business progress.

Pros

• Based in the United States
• Unlimited scanning
• 1:1 ASV setup consulting
• Full catalog of other PCI services
• High reputation
• Covers various industries in cybersecurity

Cons

• Unknown pricing

#6. Saint Corporation

Product: SAINT ASV Solution

SAINT is a veteran-owned small business based in Maryland in the US. They serve numerous Federal Agencies with their managed security services.

Pros

• Internal + External network vulnerability scans
• Internal + External penetration testing
• Remediation assistance

Cons

• Not a lot of features
• Not clear features/information about the product online
• Unknown pricing

#7. SecureWorks, Inc.

Product: Managed Vulnerability Services - PCI

SecureWorks operates in 75+ countries and provides hands-on services for various cybersecurity processes, including data breach engagements.

Pros

• No internal software needed
• SAQ support
• Remediation advice based on your scan results

Cons

• Unknown scanning frequency limits
• Unknown pricing

#8. SecurityMetrics, Inc.

Product: SecurityMetrics ASV Scan II

SecurityMetrics is one of the most well-known names in cybersecurity. Since 2010 they have won over industry 38 awards for helping secure companies large and small.

Pros

• Self-managed interface for scan scheduling
• Better organization of scan information
• Choose scanning schedule
• Export results in different formats (PDF/Excel)
• Continuous false positive reduction efforts

Cons

• Unknown scanning frequency limits
• Unknown pricing

Differences Among ASVs

While there aren’t a lot of differences among the various ASV products due to the ASV Program Requirements, there are differences in what the ASV company caters to.

Some of these variations include geographic operations (US-based vs. Europe-based), targeted industry, various other service offerings, etc. The ASV operating requirements set forth by your organization will help narrow down the list of ASVs to choose from.

Some questions your organization can consider when shopping for an ASV company can include:

• Does the ASV company serve my industry?
• Does the ASV company support my location? Due to cloud computing, most ASVs support global service.
• Where is the ASV company headquarters?
• What are the applicable data privacy laws in relation to the ASV company’s home country?
• What's included in the ASV service pricing?
• Does your organization require just scanning services or do you also require scanning and detection?
• Does your organization require an ASV company that also does application scanning or just network scanning?

Once your organization fully understands the ASV service requirements, you can then narrow down applicable ASV companies.

Tips For Choosing An ASV

While the PCI SSC has provided assistance in vetting ASVs companies and services it can still be confusing to choose the most appropriate ASV company for you based on so many options. The largest factor is obviously pricing.

Pricing will affect smaller/medium-sized organizations more as this will significantly increase your ongoing PCI compliance costs. However, if pricing is a lower priority and better scan quality a high priority, choosing the well-known companies listed above will be your best option.

There are some final things to consider when choosing your ASV scanning vendor. These considerations should be evident in any vendor you choose to do business with and should be embedded in your vendor due diligence processes. While some of these considerations might not be important to you and your organization, weigh them out to help you sift through the ASV vendor list.

Your Organization’s Security Posture

Your organization should consider your size, security maturity, and regulatory requirements to determine if ASV technical support is a high priority. For example, if an organization has a fully staffed security team a larger ASV may not be necessary. Meaning, that if your internal staff is technically capable to resolve remediation items without much external help, ASV technical support might not be high on your list.

ASV Company Customer Support & Staff Experience

On the other hand, having a 24/7/365 dedicated support staff can help your organization’s vulnerability program run smoothly. An ASV company having support staff means they can be more responsive and available to help you with your scans. An ASV company with experienced staff can provide helpful recommendations to resolve vulnerabilities in your organization's environment.

Unlimited Scanning and Re-scanning

Your organization should verify if the ASV company offers unlimited scanning or per-scan billing. New vulnerabilities are discovered each day. If your organization wants to frequently scan systems to ensure they are safe, an unlimited option might be better compared to per-scan billing. If your organization uses another non-ASV certified scanner to continuously scan external resources, and the ASV company is only for PCI compliance, a per-scan billing option may be better.

Additional ASV Company Service Offerings

Beyond vulnerability scanning, does the ASV company offer additional services your organization could utilize now or in the future? Offerings could include application vulnerability scanning, penetration testing, incident response, etc. You may be able to take advantage of discounts from the ASV company for purchasing multiple services. Take Qualys for example. If your organization is already using Qualys scanners for vulnerability management and inventory, Qualys would more than likely be the best option for your organization as your staff/team are already familiar with their interfaces. This will also cut down on the number of vendors you need to manage.

Geographic Location

Your organization’s operating locations (local, country-wide or global) should align with the services offered by the ASV. If an organization has locations globally also consider an ASV company who offers global services. This will ensure that your operating locations are scanned faster to provide quicker results.

Scanning Flexibility (Timing)

Your organization may also want to consider an ASV that allows you to accurately set scan times. For example, you may want to perform ASV scanning during off-hours to ensure that the scans will not affect production performance.

Cloud-based Scanning

Since most organizations are moving their technologies from on premise to the cloud, having an ASV company that has cloud-based scanning can make your scans faster.

Ultimately, any of the PCI SSC listed ASV companies will allow you to be compliant with PCI DSS ASV scanning requirements. When in doubt, stick with the bigger players in the overall cyber security space. If another ASV vendor better aligns with your operational requirements, then give them a try.

Remember that nothing is permanent. As your organization grows and expands one ASV vendor may be better than another. On an annual basis, when performing your PCI scoping exercises, re-consider your ASV scanning vendor to ensure that they are still the best option for where your PCI CDE is right now. If you’ve outgrown your current ASV vendor, shop for another by revisiting the criteria we discussed.