Vulnerability scanning is the process of identifying potential vulnerabilities in systems, software, and network devices, so that you can promptly address any vulnerabilities found.
PCI DSS v4.0.1 Self-Assessment Questionnaire A (SAQ A) requirement 11.3.2 requires a vulnerability scan of your ecommerce system every quarter or whenever a significant change is made in the network or applications.
Requirements
Before you begin, check if the information on this page applies to you.
| Requirement | Description |
|---|---|
| Integration type | The information on this page is relevant for online payments integrations. |
Scope of the scan
In the context of an online payments integration with Adyen, it is not necessary to scan your entire ecommerce system. The scope is limited to:
-
The page from which Adyen components are loaded or that re-directs to an Adyen Pay by Link page.
-
In an Adyen for Platforms environment, the platform or marketplace must ensure that on the platform or marketplace the Adyen-related page mentioned above passes the vulnerability scan. With that, the ecommerce environments of the users of the platform or marketplace automatically receive a passing scan.
Scanning vendors and scanning steps
The vulnerability scans must be done by an approved scanning vendor (ASV): a company that is approved by PCI SSC to provide external vulnerability scanning tools and services.
A scan by an AVS consists of several steps:
- Scoping
- Scanning
- Initial report
- Disputes
- Rescanning
- Final report
In the disputes step you can dispute any findings from the initial report that you think are incorrect, such as false positives or findings relating to exemptions. After you have fixed any remaining issues, the in-scope part of your system is scanned again, and the final report is your proof that you have passed the scan.