Diff: FAQ #1087
For ASV scans, what is meant by quarterly?
Earlier Version
Later Version
Removed
Added
The intent of the?quarterly? vulnerability scans, as defined in PCI DSS Requirement 11.2, is to have them conducted as close to three months apart as possible, to ensure vulnerabilities are identified and addressed in a timely manner. In order to meet this requirement, an entity is required to complete their internal and external scans, and perform any required remediation, every three months.
Three months, or 90 days, is considered the maximum amount of time that should be allowed to pass between quarterly vulnerability scans. If unforeseen circumstances occur that impact an entity?s ability to complete scheduled scans, every effort should be made to perform scans asprescribed insoon as possible (for example, within a day or two) of the scheduled scan date. Where an entity has advance notice of factors that may delay scans or impede their ability to address vulnerabilities (for example, scheduled system downtime, or predefined no-change windows that prevent system updates), the entity should strive to schedule scans before the 90 day period is reached.
In the case of legitimate technical or documented business constraints, and where the entity has sufficiently implemented other controls to mitigate the risk associated with not meeting the requirement, the entity may use a Compensating Controls Worksheet to document how they have addressed the intent of Requirement11.2 of the PCI DSS11.2. Please refer to Appendix B (Compensating Controls) and Appendix C (Compensating Controls Worksheet) for further information.
In addition to the quarterly scans, vulnerability scans are also required after significant changes (Requirement 11.2.3). The occurrence of these scans isto have them conducted as close to three months or 90 days apart as possible, so as to minimize the risk and identify vulnerabilities more quickly. For example, if five months elapse betweenseparate and independent of the quarterly scan schedule. Scans that are performed to verify a significant change do not replace a quarterly scan, and the occurrence of a quarterly scan does not replace the requirement to perform scans (i.e. one done is January and the next done in June), that would not meet the intent of this requirement. In order to meet this requirement, an entity is required to complete their ASV scans, and perform any required remediation, each quarter.after a significant change.
Three months, or 90 days, is considered the maximum amount of time that should be allowed to pass between quarterly vulnerability scans. If unforeseen circumstances occur that impact an entity?s ability to complete scheduled scans, every effort should be made to perform scans as
In the case of legitimate technical or documented business constraints, and where the entity has sufficiently implemented other controls to mitigate the risk associated with not meeting the requirement, the entity may use a Compensating Controls Worksheet to document how they have addressed the intent of Requirement
In addition to the quarterly scans, vulnerability scans are also required after significant changes (Requirement 11.2.3). The occurrence of these scans is
Disclaimer: This FAQ has been processed for display on this website and may contain errors. Please check the original FAQ on the PCI SSC website for the authoritative version.