Is SecurityMetrics the cheapest PCI ASV?

Yes for the SMB tier (up to 25 internet-facing IPs), where SecurityMetrics is consistently the cheapest mainstream ASV. The closest competitor at this tier is Intruder, which prices similarly for very small environments and slightly above SecurityMetrics for the 10 to 25 IP range. Qualys standalone PCI ASV is competitive starting at the 25+ IP range and becomes cheaper than SecurityMetrics at the 64+ IP enterprise tier. For Levels 3 and 4 merchants, SecurityMetrics is almost always the right choice on cost alone.

Is SecurityMetrics an approved PCI ASV?

Yes. SecurityMetrics is listed in the official PCI SSC Approved Scanning Vendor directory at pcisecuritystandards.org and is one of the highest-volume PCI ASVs by quarterly scan count globally. The firm has held continuous ASV approval since the early PCI DSS 1.x era and is a core scanning provider for acquirer-bank PCI compliance portals operated by TSYS, Global Payments, Worldpay, and others.

What is included in the SecurityMetrics ASV scan?

The standard SecurityMetrics PCI ASV scan covers quarterly external vulnerability scanning of every internet-facing IP in the merchant's PCI scope, automatic generation of a compliant Attestation of Scan Compliance, automatic submission of the AOC to the acquiring bank where the SecurityMetrics relationship is acquirer-led, basic vulnerability remediation guidance, and access to the SecurityMetrics compliance portal for SAQ workflow. The bundled SAQ-plus-ASV product adds SAQ attestation workflow on top.

Should I buy ASV scanning standalone or bundled with SAQ?

For Level 4 merchants on SAQ A, the bundled SAQ-plus-ASV product is typically the right purchase at $200 to $500 per year. The standalone ASV pricing only saves money if you have a separate SAQ workflow (typically because your acquirer requires SAQ submission through a different platform). For Level 3 merchants on SAQ B-IP or SAQ C, the bundled product still tends to be the better deal, though the cost arbitrage shrinks. For Level 2 merchants on SAQ D, separate purchasing is more common because SAQ D self-assessment is typically routed through a consulting engagement rather than a portal.

Does SecurityMetrics ASV work for cloud-native environments?

Yes, with some configuration. SecurityMetrics ASV scans cloud-hosted internet-facing assets (AWS, Azure, GCP, Cloudflare-fronted environments) as long as the merchant configures the scan whitelist correctly in the cloud provider's networking layer. The most common configuration issue is restrictive cloud provider firewall or WAF rules that block the SecurityMetrics scan IPs; the merchant must allow-list the SecurityMetrics scanner IP ranges. SecurityMetrics provides the IP range list in the merchant compliance portal.

What if my SecurityMetrics ASV scan fails?

A failed PCI ASV scan (one or more vulnerabilities at CVSS 4.0+ severity for legacy v1.0 PCI scoring, or any vulnerability rated 'critical' under the updated PCI v4.0 risk-based scoring) requires remediation and a re-scan within the quarter. SecurityMetrics includes one re-scan with the standard subscription; additional re-scans within the quarter price at $25 to $100 per scan depending on tier. The compliance portal flags failed scans clearly and provides remediation guidance for each finding, which is materially more buyer-friendly than the equivalent Qualys or Tenable failed-scan experience for small merchants.

ASV pricing

SecurityMetrics ASV scan cost 2026: SMB quarterly scanning pricing read

SecurityMetrics is the cheapest mainstream PCI ASV for SMB environments and has the most transparent published rate card in the ASV market. The bundled SAQ-plus-ASV product is the practical default for Level 4 merchants who want a single annual purchase that covers both compliance requirements.

Updated April 2026

Annual ASV

$100 - $1,200/yr

Up to 100 IP range

SAQ + ASV bundle

$200 - $500/yr

Most common SMB purchase

Best fit

Levels 3 and 4 SMB merchants

The SecurityMetrics ASV pricing model in plain English

SecurityMetrics publishes a transparent retail rate card for PCI ASV scanning on the public website. The pricing tiers are tied to internet-facing IP count rather than to vague "asset count" definitions, which makes budget planning straightforward. Entry tier covers up to 5 IPs at roughly $99 to $199 per year. Small business tier covers 5 to 25 IPs at $200 to $500 per year. Mid-market tier covers 25 to 100 IPs at $500 to $1,200 per year. Enterprise scoping (100+ IPs) crosses into custom quotes that typically remain competitive with Qualys standalone at that tier.

The bundled SAQ-plus-ASV product is where SecurityMetrics' commercial differentiation genuinely lands. For a typical Level 4 e-commerce merchant on SAQ A with 1 to 5 internet-facing IPs, the bundled annual fee of $200 to $400 covers SAQ A attestation, quarterly ASV scanning, attestation submission to the acquirer, and basic compliance portal access. The unbundled equivalent of buying SAQ attestation assistance from a consultant plus standalone PCI ASV scanning would run $500 to $1,500. The bundle saves materially and removes coordination overhead between two vendors.

Multi-year terms typically discount the year-one fee 10 to 15 percent for a three-year prepay on portal-tier products. For volume buyers (franchise networks, multi-location retailers, payment facilitators with downstream sub-merchants), volume pricing is genuinely competitive versus per-merchant ASV purchasing through other ASVs.

Three concrete cost scenarios

Scenario	SecurityMetrics fee	What is included
Level 4 Shopify e-commerce (3 IPs)	$200 - $350/yr	SAQ A plus quarterly ASV scan bundle, AOC generation, acquirer submission
Level 3 multi-store retailer (15 IPs)	$400 - $750/yr	SAQ B-IP plus quarterly ASV scan bundle, multi-IP scope, compliance portal
Mid-market SaaS (50 IPs, ASV-only)	$800 - $1,400/yr	Standalone ASV scanning (no SAQ bundle, since SAQ D goes through a consultant)

Anchored to the SecurityMetrics published rate card. The bundled SAQ-plus-ASV pricing is the most accessible PCI compliance path for Level 4 merchants.

The acquirer-portal pricing context

Many SMB merchants encounter SecurityMetrics not through direct purchase but through their acquiring bank's PCI compliance portal. Acquirer banks (TSYS, Worldpay, Global Payments, Heartland, Elavon) frequently white-label the SecurityMetrics compliance portal as part of the merchant agreement, with the SAQ-plus-ASV product priced into the merchant's monthly processing fee rather than as a discrete annual invoice. This is genuinely the cheapest legitimate path to PCI compliance for SMB merchants and is fundamentally the same SecurityMetrics product delivered through a different channel.

The acquirer-portal channel typically prices lower than the direct-buyer rate card because the acquiring bank subsidises a portion of the cost to drive merchant compliance throughput. For merchants on TSYS, Worldpay, or similar acquirers, using the acquirer's bundled portal is essentially always the cheapest option. The trade-off: portal customisation is limited, and merchants who want unusual configurations may need to fall back to direct SecurityMetrics purchase.

Merchants who switch acquirers periodically find this is a meaningful coordination friction: the SecurityMetrics relationship resets each time the acquirer changes, and SAQ workflow history does not always carry forward. For merchants stable on a single acquirer, the acquirer-portal channel is operationally smooth.

When SecurityMetrics ASV wins and when it does not

SecurityMetrics ASV wins for SMB merchants with up to 25 internet-facing IPs (cheapest mainstream ASV at this tier), for Level 4 merchants who want the bundled SAQ-plus-ASV product (genuinely the most cost-effective PCI compliance path), for merchants whose acquirer surfaces SecurityMetrics via portal partnership (typically the lowest total cost), and for merchants who value the failed-scan remediation experience over enterprise-grade vulnerability management reporting.

SecurityMetrics ASV does not win for enterprises with broader vulnerability management needs (Qualys VMDR, Tenable.io, or Rapid7 InsightVM consolidate VM stacks better), for buyers who need authenticated internal scanning alongside ASV (SecurityMetrics ASV is external-only; the SecurityMetrics broader product does include internal scanning but is priced for SMB rather than enterprise), or for buyers who want integration with enterprise SIEM platforms (the standalone ASV product does not have meaningful SIEM integration depth).

Negotiating with SecurityMetrics on ASV

Negotiation room is minimal on direct-buyer SAQ-plus-ASV pricing because the rate card is published and SMB economics genuinely depend on volume throughput rather than per-account margin. For volume buyers (franchise networks, payment facilitators, multi-location retailers), genuinely competitive volume pricing is available and can produce 25 to 40 percent below the per-merchant rate card for 100+ merchant deals.

For merchants moving from another ASV to SecurityMetrics, mention the existing-vendor relationship explicitly during the initial quote conversation. SecurityMetrics will often waive the first-year setup cost or include a free re-scan allowance for new customers transitioning in mid-cycle from Qualys or Tenable. This is not advertised but is consistently offered to credible competitor-migration buyers.

SecurityMetrics on the PCI SSC ASV directory

SecurityMetrics is listed in the official PCI SSC Approved Scanning Vendor directory.

Verify on pcisecuritystandards.org →

Frequently asked

SecurityMetrics PCI ASV scanning runs $100 to $1,200 per year for small to mid-market environments. The entry tier (up to 5 internet-facing IPs) prices at roughly $99 to $199 per year, the small-business tier (5 to 25 IPs) at $200 to $500, and the mid-market tier (25 to 100 IPs) at $500 to $1,200. Pricing is published transparently on the SecurityMetrics website, which is unusual for the PCI ASV market. The SAQ-plus-ASV bundle (the most common SMB purchase) prices the ASV scanning at a discount versus standalone purchase.

SecurityMetrics PCI cost

Full QSA practice pricing read.

Qualys PCI ASV cost

Standalone per-IP enterprise option.

Tenable PCI cost

Per-asset model for Nessus upgrade buyers.

SAQ A cost

The cheapest PCI SAQ for hosted checkout.

Level 3 PCI cost

$5k to $20k for 20k to 1M e-com transactions.

PCI scanning + pen test

Full ASV plus pen test market.