FAQ #1152 Diff

PCI DSS requires entities to perform internal and external quarterly vulnerability scans,scans at least once every three months, identify and address vulnerabilities in a timely manner, and verify through rescans that vulnerabilities have been addressed. In orderTo achieve these objectives, an entity would need to achieve these objectives, an entity would need to show that ?clean? or ?passing? quarterly scans were performed at least once every three months for the previous four quarters, for both their external and internal environments. A “clean” or ?passing? scan generally has the following characteristics:

No configuration or software was detected that results in an automatic failure (such as the presence of default accounts and passwords, etc.)
For external scans, no vulnerabilities with a score of 4.0 or higher on the Common Vulnerability Scoring System (CVSS)
For internal scans, no “High”vulnerabilities as defined invulnerabilities are resolved by the entity according to PCI DSS Requirement 6.111.3.1.

With new vulnerabilities continually being identified, scanning becomes an integral part of an organization?s vulnerability management process, resulting in a cycle of scanning, patchingpatching, and rescanning until a “clean” scan is obtained. However,dueHowever, due to the frequency of new vulnerabilities being identified, it may not always be possible to produce a single, clean scan forat least once every quarter. For example, let?s saythree months. Take the example of an entity that performs a quarterly scan which identifies several vulnerabilities. The entity then fixes all the identified vulnerabilities and performs a number of vulnerabilities.rescan to verify. The rescan shows that the vulnerabilities identified in the first scan have been addressed, but new vulnerabilities that were not present in the original scan have since appeared. In this case, instead of having a single, environment-wide scan report, an entity then fixesmay verify they have met the scanning requirements through a collection of scan results which together show that all therequired scans are being performed, and that all applicable vulnerabilities are being identified vulnerabilities and performs a rescan to verify. The rescan shows that the vulnerabilities identified in the first scan have been addressed, but new vulnerabilities that were not present in the original scan have since appeared.In this case, instead of having a single, environment-wide scan report, an entity may verify they have met the scanning requirements through a collection of scan results which together show that all required scans are being performed, and that all applicable vulnerabilities are being identified and addressed on a quarterly basis.at least once every three months.

To verify that the quarterly scan requirement to perform vulnerability scans at least once every three months has been met, the following should beoccur:
- Scans of all in-scope systems are performed at least once every three months, and all in-scope systems are covered by the entity’s scan-remediate-rescan processes.
- Rescans are performed as necessary and show that vulnerabilities identified in place:

Scans ofthe initial scans have been remediated, for all in-scope systems were performed for each quarterly period, and all in-scope systemsaffected systems, as part of that period?s scanning process.
- The entity has processes in place to remediate currently identified vulnerabilities.
- Repeated failing scans are covered by the entity’s scan-remediate-rescan processes
Rescans were performed as necessary, and show that vulnerabilitiesnot the result of poor remediation practices resulting in previously identified in the initial quarterly scans have been remediated, for all affected systems, as part of the quarterly process
The entity has processes in place to remediate currently identified vulnerabilities
Repeated failing scans arevulnerabilities not the result of poor remediation practices resulting in previously identified vulnerabilities not being properly addressedaddressed.

If, however, an entity does not have four passing quarterly scans for the last 12 months, performed at least once every three months, because they didn?t schedule the scans properly, or the scans are incomplete, or the identified vulnerabilities haven?thave not been addressed from one quarterperiod to the next, then the entity has not met the requirement.

Note: results from quarterly external vulnerability scans may also be required by acquirers and payment card brands as part of an entity?s annual compliance validation. Entities should contact their acquirer (merchant bank) and/or the payment brands directly to understand their reporting requirements for external scans.

(Note: PCI DSS Requirement numbers refer to PCI DSS version 3)