Can I Perform the Scans? The answer to this question is both yes and no. You might be able to perform all the internal scans to meet the internal scan requirements; but the PCI DSS needs you to use Approved Scanning Vendor (ASV) for external scans. If you want to do internal scans on your own then do make sure that the scans are performed by qualified staff members; who are independent from the staff responsible for your security systems.
Every single merchant, apart from being of any merchant level, having an external IP address must go through vulnerability scans as guided above. This has become quite confusing in the security community and a lot of people believe that level 4 merchants (those processing less than 1,000,000 annual transactions) do not need to go through such scans. This is not true at all as charted in MasterCard’s Site Data Protection program requirements and Visa’s Card holder Information Security Program requirements.