If your website uses a URL redirect/embedded iFrame and you are eligible to self-assess compliance using the SAQ A, you will need to complete an External Vulnerability Scan, also referred to as ASV scanning, as these scans need to be performed by a PCI- Approved Scanning Vendor (ASV). This is a non-intrusive website scan that helps identify vulnerabilities that may lead to a compromise of your website and customer card data.

If you are unsure if you need to scan and what to scan, please check with your web developer regarding how your website is set up to accept card payments. If scanning is required, you will receive detailed instructions.

If External Vulnerability Scanning applies to your website, you will need to scan at least once every 90 days – and whenever a significant change is made to your website or web servers to maintain your compliance with the PCI DSS.

Note: The target environment for External Vulnerability Scans must include your e-commerce servers that either redirect your customers to a hosted payment page for payment processing, or that embed the hosted payment page, form or fields in one or more iFrames.