Frequently Asked Question

No, Approved Scanning Vendors (ASVs) and Qualified Security Assessors (QSAs) are not considered third-party service providers (TPSPs) for purposes of PCI DSS Requirements 12.8 and 12.9, if an ASV or QSA company’s only service is performing ASV scans or conducting PCI DSS assessments, respectively. Where ASV or QSA companies provide other services, they may be considered a TPSP for those services.

ASV and QSA companies are qualified by the PCI Security Standards Council’s (PCI SSC) to offer ASV and QSA related services. The PCI SSC qualification processes ensure that:

• ASV companies and their ASV tools meet specific criteria necessary to perform external vulnerability scans for PCI DSS Requirement 11.3.2.
• QSA companies and individual QSAs meet specific criteria necessary to perform PCI DSS assessments.
  
  

These companies have a direct relationship with PCI SSC through the ASV and QSA programs and are subject to PCI SSC’s quality programs to remain in good standing and be included on PCI SSC’s lists of qualified professionals.

Regardless of the relationship these companies have with PCI SSC, entities should follow their internal third-party due diligence processes when engaging with an ASV or QSA company.