PCI DSS requirement 11.2 mandates organisations to run internal and external vulnerability scans at least quarterly and after any significant change in the network (such as new system component installations, changes in network topology, firewall rule modifications, product upgrades).
Testing Procedure 11.2.1c requires the assessor to validate that the scan was performed by a qualified internal resource(s) or qualified external third party, and if applicable, organizational independence of the tester exists (not required to be a QSA or ASV).
Approved Scanning Vendors (ASVs) are organizations that validate adherence to certain DSS requirements by performing vulnerability scans of Internet facing environments of merchants and service providers. The Council has approved more than 130 ASVs. Complete list of these ASVs can be found here.
I received a request recently to provide some guidance on ASVs that offer their services in the UK. Below are the companies that are listed as ASVs today on PCI SSC website that offer vulnerability scanning service in the UK. To clarify, it is not required for an ASV to be local. There are a number of other ASVs on the website that offer a similar service baselined by PCI SSC.
Ambersail
Context Information Security
Digital Assurance Consulting
Integralis
Matta Consulting
MWR Infosecurity
NCC Group
Nettitude
ProCheckUp
Protiviti
RandomStorm
Trustwave
Westpoint
Again, this listing should only be taken as a reference for organisations seeking to engage an ASV locally. Please feel free to add any ASVs that have been unintentionally missed on this list but offer the service from the UK.
Disclaimer: I do not work for any of the above listed ASVs and do not intend to endorse their ASV services to that of other companies offering such services globally.
