You may be getting zero value-add. I suggest finding a new vendor.

And when soliciting potential new PCI ASVs, ask them what they do, questions like:

Which vulnerability scanners will you use to assess our systems?
Do you use the commercial or free versions of the vulnerability scanners?
We use Nessus internally, what more will you do to bring value?

And if you truly want greater assurance you are running systems free of known vulnerabilities then make it clear to each ASV candidate that you expect them to do more than simply run a Nessus scan.

Request they use multiple commercial backed vulnerability scanners. For example, I may do the following when wearing a PCI ASV hat:

• execute multiple rounds of full TCP/UDP port scans (typically using custom tuned nmap runs, scanning on different days and different times to minimize congestion hazards that can hurt accuracy)
• fire off a tuned round of Qualys scanning
• fire off a tuned round of Nessus w/professional feed scanning
• for each SSL based site, check for issues using https://www.ssllabs.com/
• manually spot check any exposed web applications for common vulnerabilities (the point of this is if I find one or two form fields with easy vulnerabilities then it usually means the app has many more vulnerabilities and I’ll let the client know they need to do more work)
• manually spot check any non-standard exposed services or applications

You can't expect a quality PCI ASV to match the above if you're only paying $99 (I'm not saying you are). But if you want more then shop around and be open to fair pricing.

You may be getting zero value-add. I suggest finding a new vendor.

And when soliciting potential new PCI ASVs, ask them what they do, questions like:

Which vulnerability scanners will you use to assess our systems?
Do you use the commercial or free versions of the vulnerability scanners?
We use Nessus internally, what more will you do to bring value?

And if you truly want greater assurance you are running systems free of known vulnerabilities then make it clear to each ASV candidate that you expect them to do more than simply run a Nessus scan.

Request they use multiple commercial backed vulnerability scanners. For example, I may do the following when wearing a PCI ASV hat:

• execute multiple rounds of full TCP/UDP port scans (typically using custom tuned nmap runs, scanning on different days and different times to minimize congestion hazards that can hurt accuracy)
• fire off a tuned round of Qualys scanning
• fire off a tuned round of Nessus w/professional feed scanning
• for each SSL based site, check for issues using https://www.ssllabs.com/
• manually spot check any exposed web applications for common vulnerabilities (the point of this is if I find one or two form fields with easy vulnerabilities then it usually means the app has many more vulnerabilities and I’ll let the client know they need to do more work)
• manually spot check any non-standard exposed services or applications

You can't expect a quality PCI ASV to match the above if you're only paying $99 (I'm not saying you are). But if you want more then shop around and be open to fair pricing.