Question 1

How much does an ASV scan cost?

Accepted Answer

Approved Scanning Vendor scans run $100 to $800 per quarter depending on the number of IPs and the vendor. Annual cost typically lands at $400 to $3,200. SecurityMetrics is the cheapest for small merchants. Qualys, Tenable, Rapid7, and Trustwave price higher and offer more detailed reporting. The PCI SSC maintains the official ASV directory.

Question 2

How often do you need PCI vulnerability scans?

Accepted Answer

Quarterly external ASV scans on every internet-facing IP. Internal vulnerability scans must also be quarterly under PCI DSS 4.0, and they must now be authenticated (with credentials) for the new authenticated scanning requirement. After any significant change you also need an out-of-cycle scan.

Question 3

What is the difference between an ASV scan and a penetration test?

Accepted Answer

An ASV scan is automated vulnerability scanning by an Approved Scanning Vendor, run quarterly, $100 to $800 per quarter. A penetration test is a manual assessment by skilled testers attempting to actively exploit vulnerabilities, run annually plus after significant change, $5,000 to $30,000 per engagement. Both are required.

Question 4

Do I need both internal and external scans for PCI?

Accepted Answer

Yes. External scans cover internet-facing systems and must be run by an ASV. Internal scans cover systems inside the cardholder data environment and can be run with your own tools (Nessus, Qualys, Rapid7) or by a third party. PCI DSS 4.0 made authenticated internal scanning mandatory.

Question 5

Which ASV scanning vendor is cheapest?

Accepted Answer

SecurityMetrics is the cheapest mainstream ASV at roughly $100 per quarter for small environments. Intruder is similarly priced and has a more modern interface. Qualys and Tenable cost more and are better suited to enterprise environments that already use them for internal vulnerability management.

ASV vendor	Per quarter	IP range	Notes
SecurityMetrics	$100-$300	1-10 IPs	Most popular for small merchants. Includes compliance portal.
Qualys	$200-$800	1-256 IPs	Enterprise-grade. Scales well. Strong vulnerability management integration.
Tenable (Nessus)	$250-$600	1-128 IPs	Best for organisations already using Nessus for internal scanning.
Trustwave	$200-$500	1-64 IPs	Also offers managed security services and pen testing.
Rapid7	$300-$700	1-128 IPs	Good integration with InsightVM for internal scanning.
Intruder	$150-$400	1-20 IPs	Modern interface. Good for smaller environments.

Test type	Cost range	Frequency	Cost factors
External Network Penetration Test	$5,000 - $30,000	Annual	Number of external IPs, services exposed, complexity
Internal Network Penetration Test	$5,000 - $20,000	Annual	Network size, number of VLANs, segmentation complexity
Web Application Penetration Test	$5,000 - $15,000	Annual + after significant changes	Application complexity, number of roles, APIs, authentication flows
Segmentation Validation Test	$3,000 - $10,000	Every 6 months (if segmentation used)	Number of segments, network topology complexity
Wireless Penetration Test	$3,000 - $8,000	Annual	Number of locations, wireless networks, physical security

Activity	Who runs it	Frequency	Typical cost
External ASV scan	PCI SSC Approved Scanning Vendor	Quarterly	$100 - $800 / quarter
Internal vulnerability scan	In-house or third party	Quarterly (authenticated under 4.0)	$2,000 - $15,000 / year
Penetration test (external)	Pen test firm	Annual + after significant change	$5,000 - $30,000
Penetration test (internal)	Pen test firm	Annual	$5,000 - $20,000
Segmentation validation	Pen test firm	Every 6 months (if segmentation used)	$3,000 - $10,000

PCI ASV scanning and penetration testing cost

ASV vulnerability scanning

Penetration testing

ASV scan vs pen test vs vulnerability scan

Need to start scanning today?

Frequently asked