Diff: FAQ #1087
For ASV scans, what is meant by quarterly?
Earlier Version
Later Version
Removed
Added
The intent of ?quarterly?conducting vulnerability scans "quarterly" or "at least once every three months," as defined in PCI DSS v3.2.1 and v4.0 respectively, is to have them conducted as close to three months apart as possible, to ensure vulnerabilities are identified and addressed in a timely manner. To meet the vulnerability scanning requirements in PCI DSS Requirement 11, an entity is required to complete their internal and external scans, and perform any required remediation, at least once every three months.At least once every three months, or 90 days, is considered the maximum amount of time that should be allowed to pass between quarterly vulnerability scans. If unforeseen circumstances occur that impact an entity's ability to complete scheduled scans, every effort should be made to perform scans as soon as possible (for example, within a day or two) of the scheduled scan date. Where an entity has advance notice of factors that may delay scans or impede their ability to address vulnerabilities (for example, scheduled system downtime, or predefined no-change windows that prevent system updates), the entity should strive to schedule scans before the three-month period is reached.Entities are encouraged to perform vulnerability scans more frequently than required as it will enhance security by allowing quicker identification and resolution of vulnerabilities. More frequent vulnerability scans also provide entities with earlier awareness of vulnerabilities that need to be resolved, thereby increasing the likelihood that all vulnerabilities are successfully identified and resolved within the three-month period.PCI DSS also requires vulnerability scans after significant changes. These scans are required in addition to the scans conducted at least once every three months; this means that vulnerability scans are required both 1) at least once every three months and 2) after a significant change. Also refer to the following related FAQ:
FAQ 1572: Can a compensating control be used for requirements with a periodic or definedin PCI DSS Requirement 11.2, is to have them conducted as close to three months apart as possible, to ensure vulnerabilities are identified and addressed in a timely manner. In order to meet this requirement,frequency, where an entity isdid not perform the activity within the required to complete their internal and external scans, and perform any required remediation, every three months.
Three months, or 90 days, is considered the maximum amount of time that should be allowed to pass between quarterly vulnerability scans. If unforeseen circumstances occur that impact an entity?s ability to complete scheduled scans, every effort should be made to perform scans as soon as possible (for example, within a day or two) of the scheduled scan date. Where an entity has advance notice of factors that may delay scans or impede their ability to address vulnerabilities (for example, scheduled system downtime, or predefined no-change windows that prevent system updates), the entity should strive to schedule scans before the 90 day period is reached.
In the case of legitimate technical or documented business constraints, and where the entity has sufficiently implemented other controls to mitigate the risk associated with not meeting the requirement, the entity may use a Compensating Controls Worksheet to document how they have addressed the intent of Requirement 11.2. Please refer to Appendix B (Compensating Controls) and Appendix C (Compensating Controls Worksheet) for further information.
In addition to the quarterly scans, vulnerability scans are also required after significant changes (Requirement 11.2.3). The occurrence of these scans is separate and independent of the quarterly scan schedule. Scans that are performed to verify a significant change do not replace a quarterly scan, and the occurrence of a quarterly scan does not replace the requirement to perform scans after a significant change.timeframe?
FAQ 1572: Can a compensating control be used for requirements with a periodic or defined
Three months, or 90 days, is considered the maximum amount of time that should be allowed to pass between quarterly vulnerability scans. If unforeseen circumstances occur that impact an entity?s ability to complete scheduled scans, every effort should be made to perform scans as soon as possible (for example, within a day or two) of the scheduled scan date. Where an entity has advance notice of factors that may delay scans or impede their ability to address vulnerabilities (for example, scheduled system downtime, or predefined no-change windows that prevent system updates), the entity should strive to schedule scans before the 90 day period is reached.
In the case of legitimate technical or documented business constraints, and where the entity has sufficiently implemented other controls to mitigate the risk associated with not meeting the requirement, the entity may use a Compensating Controls Worksheet to document how they have addressed the intent of Requirement 11.2. Please refer to Appendix B (Compensating Controls) and Appendix C (Compensating Controls Worksheet) for further information.
In addition to the quarterly scans, vulnerability scans are also required after significant changes (Requirement 11.2.3). The occurrence of these scans is separate and independent of the quarterly scan schedule. Scans that are performed to verify a significant change do not replace a quarterly scan, and the occurrence of a quarterly scan does not replace the requirement to perform scans after a significant change.
Disclaimer: This FAQ has been processed for display on this website and may contain errors. Please check the original FAQ on the PCI SSC website for the authoritative version.