PCI Watch

Tracking changes across the Payment Card Industry
ℹ️
Reference Content: This is a copy of content from the PCI Security Standards Council FAQ database, preserved for tracking changes over time.
View Original →
FAQ #1087 Published

For ASV scans, what is meant by quarterly?

The intent of the quarterly scans as prescribed in Requirement 11.2 of the PCI DSS is to have them conducted as close to three months or 90 days apart as possible, so as to minimize the risk and identify vulnerabilities more quickly. For example, if five months elapse between scans (i.e. one done is January and the next done in June), that would not meet the intent of this requirement. In order to meet this requirement, an entity is required to complete their ASV scans, and perform any required remediation, each quarter.

View original on PCI SSC website View all versions Back to recent changes

Disclaimer: This FAQ has been processed for display on this website and may contain errors. Please check the original FAQ on the PCI SSC website for the authoritative version.