💼 11.2 Run internal and external network vulnerability scans at least quarterly and after any significant change in the network.

• Contextual name: 💼 11.2 Run internal and external network vulnerability scans at least quarterly and after any significant change in the network.

• ID: /frameworks/pci-dss-v3.2.1/11/02

• Located in: 💼 11 Regularly test security systems and processes.

Description

Multiple scan reports can be combined for the quarterly scan process to show that all systems were scanned and all applicable vulnerabilities have been addressed. Additional documentation may be required to verify non-remediated vulnerabilities are in the process of being addressed.

For initial PCI DSS compliance, it is not required that four quarters of passing scans be completed if the assessor verifies 1) the most recent scan result was a passing scan, 2) the entity has documented policies and procedures requiring quarterly scanning, and 3) vulnerabilities noted in the scan results have been corrected as shown in a re-scan(s). For subsequent years after the initial PCI DSS review, four quarters of passing scans must have occurred.

Similar

• Internal
  • ID: dec-c-dbcb0be6

Sub Sections

Section	Sub Sections	Internal Rules	Policies	Flags
💼 11.2.1 Perform quarterly internal vulnerability scans. Address vulnerabilities and perform rescans to verify all “high risk” vulnerabilities are resolved in accordance with the entity's vulnerability ranking.
💼 11.2.2 Perform quarterly external vulnerability scans, via an Approved Scanning Vendor (ASV) approved by the Payment Card Industry Security Standards Council (PCI SSC).
💼 11.2.3 Perform internal and external scans, and rescans as needed, after any significant change.