Network Vulnerability Scanning for Small Merchants

Network vulnerability scans are required for all entities that process credit card transactions across an internet connection on their physical or e-commerce network. In this blog, we cover the common issues small merchants face when running network vulnerability scans.

I only process a small number of transactions for my business. Do I still need to run a vulnerability scan?

There is no minimum number of transactions to require a network vulnerability scan. Often, malicious actors will target smaller businesses to collect a small amount of credit card data rather than larger corporations.

We process credit cards at multiple physical locations. Which location needs to be scanned?

All locations where credit cards are processed require a scan. It is your responsibility, per PCI DSS Requirement 11.2.2, to only process credit cards over a secure network. Therefore, you should only conduct business over networks you manage and maintain. It is strongly discouraged to ever use public internet locations to process credit card transactions.

I have sensitive data on my computer. We cannot allow outside vendors to access this data.

Network vulnerability scans are a perimeter scan, checking all access points to your network to determine if the data processed therein is at risk. Data on your network is not accessed.

Network Vulnerability Scanning for Small Merchants

I do not store customer credit card data on my computer. Do I still need to run scans?

The external network vulnerability scan probes your network to ensure there are no vulnerabilities a malicious actor can exploit to access the data on your network (physical or e-commerce). Even if the card data is not saved on your network, if you are processing credit cards over your network, that data can be intercepted during the transaction.

I received a message of “Host Not Detected” because my security settings do not allow my network to be found. If my network cannot be found, why am I failing?

As of January, 2018, “Host Not Detected” became a PCI-affecting vulnerability. Specifically, external vulnerability PCI scans may fail if some or all of the scan targets identified in your PCI ‘Scan Setup’ do not respond to our scanner in a timely manner. This means that you asked to scan a public target IP address that the scanner was ultimately unable to detect, and therefore unable to make a determination on the overall security of the environment.

To resolve this finding, you may need to whitelist the scanner on your system to allow the vendor to run the scan or update your existing security settings. For further information on remediation steps, please visit this knowledge base article.

What is the purpose of the scan attestation?

Your scan attestation confirms that your ASV is authorized to scan the network(s) listed and verifies there have been no changes to the targets. Effective February 1, 2019, passing PCI External Vulnerability Scan results will not apply unless there is an active attestation on record. Scan target(s) – IP Addresses and/or website URLs – will require verification at least once every 90 days, or any time changes are made to your current scan target(s). It is considered best practice to attest to your scan on a monthly basis.


SecureTrust is an Approved Scanning Vendor (ASV) with a set of security services and tools (“ASV scan solution”) to conduct external vulnerability scanning services to validate adherence with the external scanning requirements of PCI DSS Requirement 11.2.2. The scanning vendor’s ASV scan solution is tested and approved by PCI SSC before an ASV is added to PCI SSC’s List of Approved Scanning Vendors. To learn more about SecureTrust, click here: