PCI ASV Scanning & Penetration Testing Costs: What You'll Pay and What's Required
Vulnerability scanning and penetration testing are two of the most common technical requirements under PCI DSS. Quarterly ASV scans and annual pen tests are required for most merchants, but pricing is opaque and vendors rarely publish clear rates. This guide provides real pricing data from major vendors, explains exactly what PCI requires, and helps you choose the right providers without overspending.
Last verified: April 2026
ASV Scanning: What It Is and Who Needs It
An Approved Scanning Vendor (ASV) scan is an automated external vulnerability scan of your internet-facing systems. PCI DSS Requirement 11.3.2 mandates that all merchants and service providers with internet-facing infrastructure undergo quarterly ASV scans. The scan checks for known vulnerabilities, open ports, misconfigurations, expired SSL certificates, and other security issues that could be exploited by attackers.
The ASV must be a company approved by the PCI Security Standards Council. You cannot use just any vulnerability scanner -- the scan must be performed by an approved vendor using their PCI-validated scanning methodology. The PCI SSC maintains a public list of all approved ASVs on their website. After the scan completes, the ASV provides a compliance report indicating whether you passed or failed. Failing scans must be remediated and rescanned until you achieve a passing result.
You need quarterly ASV scans if your environment has any internet-facing systems in PCI scope. This includes web servers, email servers, VPN concentrators, firewalls with public IP addresses, and any other system accessible from the internet. Merchants who qualify for SAQ A (fully outsourced hosted payment pages) typically do not require ASV scans because they have no internet-facing systems processing card data. However, SAQ A-EP, B-IP, C, C-VT, D, and P2PE merchants generally do require quarterly scans.
ASV Vendor Pricing Comparison
The following table compares pricing from major ASV vendors. Prices are per quarter and vary by the number of external IP addresses scanned. Most vendors offer discounts for annual prepayment.
| ASV Vendor | Price / Quarter | IP Range | Notes |
|---|---|---|---|
| SecurityMetrics | $100-$300 | 1-10 IPs | Most popular for small merchants. Includes compliance portal. |
| Qualys | $200-$800 | 1-256 IPs | Enterprise-grade. Scales well. Strong vulnerability management integration. |
| Tenable (Nessus) | $250-$600 | 1-128 IPs | Best for organisations already using Nessus for internal scanning. |
| Trustwave | $200-$500 | 1-64 IPs | Also offers managed security services and pen testing. |
| Rapid7 | $300-$700 | 1-128 IPs | Good integration with InsightVM for internal scanning. |
| Intruder | $150-$400 | 1-20 IPs | Modern interface. Good for smaller environments. |
Pricing is approximate based on publicly available information and vendor quotes as of April 2026. Contact vendors directly for current pricing.
Penetration Testing: What PCI DSS Requires
PCI DSS Requirement 11.4 mandates annual penetration testing for most merchants. Unlike automated ASV scans, penetration tests are manual, human-driven assessments conducted by skilled security professionals who actively attempt to exploit vulnerabilities in your environment. PCI DSS 4.0 expanded penetration testing requirements, making them more rigorous and specific about methodology and scope.
PCI DSS requires both external and internal penetration testing. External tests simulate an attacker on the internet attempting to breach your perimeter defences. Internal tests simulate a malicious insider or an attacker who has gained initial network access. If you use network segmentation to reduce PCI scope, segmentation validation testing is also required to confirm that the segmentation controls effectively isolate the cardholder data environment.
The penetration testing methodology must cover the entire CDE perimeter and critical systems, test both network-layer and application-layer vulnerabilities, address common attack vectors including those identified in the vulnerability scans, and be conducted by qualified internal resources or external service providers. PCI DSS 4.0 added the requirement that the methodology must be “defined, documented, and implemented” and must include industry-accepted testing approaches (such as NIST SP 800-115, OWASP Testing Guide, or PTES).
For a comprehensive overview of penetration testing costs beyond PCI, visit PenetrationTestingCost.com.
Penetration Testing Pricing
Penetration testing prices vary by scope, methodology depth, and the firm's reputation. The following table provides benchmark pricing for the types of pen testing typically required for PCI compliance.
| Test Type | Cost Range | Frequency | Key Cost Factors |
|---|---|---|---|
| External Network Penetration Test | $5,000 – $30,000 | Annual | Number of external IPs, services exposed, complexity |
| Internal Network Penetration Test | $5,000 – $20,000 | Annual | Network size, number of VLANs, segmentation complexity |
| Web Application Penetration Test | $5,000 – $15,000 | Annual + after significant changes | Application complexity, number of roles, APIs, authentication flows |
| Segmentation Validation Test | $3,000 – $10,000 | Every 6 months (if segmentation used) | Number of segments, network topology complexity |
| Wireless Penetration Test | $3,000 – $8,000 | Annual | Number of locations, wireless networks, physical security |
Total Annual Testing Budget
A typical Level 1 merchant needs external pen test + internal pen test + web app pen test + segmentation validation + quarterly ASV scans. Total annual budget: $20,000-$65,000 for testing alone. Level 4 merchants on SAQ A may need no testing at all. See cost by level for level-specific requirements.
ASV Scan vs. Penetration Test vs. Vulnerability Scan: What's the Difference?
Many merchants confuse these three types of security assessment. Each serves a different purpose and is required under different circumstances. Understanding the distinctions helps you budget accurately and avoid paying for services you do not need.
| Attribute | ASV Scan | Internal Vulnerability Scan | Penetration Test |
|---|---|---|---|
| What it is | Automated external scan by approved vendor | Automated internal scan (credentialed under 4.0) | Manual testing by skilled security professional |
| Scope | Internet-facing IPs only | All in-scope internal systems | CDE perimeter, internal, and applications |
| Frequency | Quarterly | Quarterly | Annually + after significant changes |
| Who performs it | PCI SSC-approved ASV only | Qualified internal staff or third party | Qualified internal or external tester |
| Typical cost | $100-$800/quarter | $0-$2,000/quarter | $5,000-$30,000/year |
| PCI requirement | 11.3.2 | 11.3.1 | 11.4 |
Choosing an ASV Vendor
All PCI SSC-approved ASVs meet the same baseline scanning methodology requirements, but they differ significantly in pricing, user experience, support quality, and additional features. Here is what to look for when selecting an ASV.
PCI SSC Approval
Verify the vendor is currently listed on the PCI SSC's approved ASV list. Approvals can lapse or be suspended.
IP Pricing Structure
Some vendors charge per IP; others offer tiered plans. Ensure the pricing matches your IP count. Ask about pricing for IP ranges you may grow into.
False Positive Support
False positives cause scan failures that require dispute resolution. Good ASVs have streamlined dispute processes. Ask how they handle false positives.
Remediation Guidance
When you fail a scan, does the vendor explain what to fix and how? Better vendors provide actionable remediation guidance, not just a list of CVE numbers.
Scheduling Flexibility
Can you schedule scans at specific times to avoid disrupting production? Important for e-commerce sites where scanning during peak hours could affect performance.
Additional Services
Some ASV vendors also offer SAQ completion portals, PCI compliance reporting, and internal scanning tools. Bundling these can provide cost savings and a single compliance dashboard.
What Happens When You Fail a Scan
Failing an ASV scan is common, especially for first-time scans. A failed scan does not immediately result in fines or penalties -- it triggers a remediation and rescan cycle. Here is the process:
Review the scan report
The ASV report lists all identified vulnerabilities, their severity (Critical, High, Medium, Low), and whether they caused the scan to fail. PCI compliance requires no Critical or High vulnerabilities to be present, with some specific requirements around CVSS scores.
Remediate or dispute
For real vulnerabilities, apply patches, update configurations, or implement other fixes. For false positives, submit a dispute to the ASV with evidence that the finding is incorrect. The ASV will review the dispute and either accept it (removing the finding) or maintain it.
Request a rescan
After remediation, request a new scan from the ASV. Most ASV vendors include a limited number of rescans in their quarterly fee (typically 2-3). Additional rescans may cost $50-$200 each depending on the vendor.
Document the timeline
PCI DSS requires quarterly passing scans. If your first scan of the quarter fails and you remediate and pass on the rescan within the same quarter, you maintain compliance. Keep records of all scan attempts, remediation efforts, and dispute resolutions for your annual assessment.
Annual Scanning and Testing Budget Summary
The total annual cost for PCI scanning and testing depends on your merchant level and environment complexity. Below are typical annual budgets for different merchant profiles.
Level 4 Merchant (SAQ A)
$0 - $400/year
SAQ A merchants with no internet-facing systems typically do not require ASV scans or penetration testing. If ASV scans are required by your acquirer, budget $400-$1,200/year.
Level 4 Merchant (SAQ B-IP or C)
$400 - $2,400/year
Quarterly ASV scans for a small number of IPs. Penetration testing may not be explicitly required for Level 4 but is recommended annually. Budget $400-$1,200 for ASV scans plus $5,000-$10,000 if including a pen test.
Level 2-3 E-commerce Merchant
$6,000 - $20,000/year
Quarterly ASV scans ($800-$2,400), annual external pen test ($5,000-$15,000), web application pen test ($5,000-$15,000), and quarterly internal vulnerability scans ($0-$2,000). Total: $6,000-$20,000.
Level 1 Enterprise Merchant
$20,000 - $65,000/year
Quarterly ASV scans ($2,000-$8,000), external pen test ($10,000-$30,000), internal pen test ($5,000-$20,000), web app pen test ($5,000-$15,000), segmentation validation ($6,000-$20,000/year), and internal vulnerability scanning ($2,000-$8,000). Total: $20,000-$65,000.
Reduce Your Scanning Costs
Scope reduction directly reduces scanning and testing costs. Fewer in-scope systems means fewer IPs to scan and a smaller pen test scope. See our cost reduction strategies for specific approaches. For full QSA assessment costs (which include scanning oversight), see QSA assessment costs. To understand which scanning is required for your level, check cost by level.