If you are currently required to complete External Vulnerability Scanning, there are no changes. You will continue to scan and attest to your scans in exactly the same way. Please note, that some Ecommerce merchants who are classified as SAQ A may be required to perform External Vulnerability Scanning for the first time. If your website uses a URL redirect/embedded iFrame you will need to complete ASV scanning. If you are unsure, please check with your web developer. If scanning is required, you will receive detailed instructions.

If you meet the requirements for an External Vulnerability Scan, you must obtain a new scan within 90 days of a significant change to your website or web servers.
Note: The target environment for the external vulnerability scans must include your ecommerce web redirection servers.