Frequently Asked Question

Can an entity be PCI DSS compliant if they have performed quarterly scans, but do not have four “passing” scans?

PCI DSS requires entities to perform internal and external quarterly vulnerability scans, identify and address vulnerabilities in a timely manner, and verify through rescans that vulnerabilities have been addressed.  In order to achieve these objectives, an entity would need to show “clean” or “passing” quarterly scans for the previous four quarters, for both their external and internal environments.  A "clean" or “passing” scan generally has the following characteristics:

  • No configuration or software was detected that results in an automatic failure (such as the presence of default accounts and passwords, etc.)
  • For external scans, no vulnerabilities with a score of 4.0 or higher on the Common Vulnerability Scoring System (CVSS)
  • For internal scans, no "High" vulnerabilities as defined in PCI DSS Requirement 6.1

With new vulnerabilities continually being identified, scanning becomes an integral part of an organization’s vulnerability management process, resulting in a cycle of scanning, patching and rescanning until a "clean" scan is obtained. However, due to the frequency of new vulnerabilities being identified, it may not always be possible to produce a single, clean scan for every quarter. For example, let’s say an entity performs a quarterly scan which identifies a number of vulnerabilities. The entity then fixes all the identified vulnerabilities and performs a rescan to verify.  The rescan shows that the vulnerabilities identified in the first scan have been addressed, but new vulnerabilities that were not present in the original scan have since appeared. In this case, instead of having a single, environment-wide scan report, an entity may verify they have met the scanning requirements through a collection of scan results which together show that all required scans are being performed, and that all applicable vulnerabilities are being identified and addressed on a quarterly basis. 

To verify that the quarterly scan requirement has been met, the following should be in place:

  • Scans of all in-scope systems were performed for each quarterly period, and all in-scope systems are covered by the entity's scan-remediate-rescan processes
  • Rescans were performed as necessary, and show that vulnerabilities identified in the initial quarterly scans have been remediated, for all affected systems, as part of the quarterly process
  • The entity has processes in place to remediate currently identified vulnerabilities
  • Repeated failing scans are not the result of poor remediation practices resulting in previously identified vulnerabilities not being properly addressed
If, however, an entity does not have four passing quarterly scans because they didn’t schedule the scans properly, or the scans are incomplete, or the identified vulnerabilities haven’t been addressed from one quarter to the next, then the entity has not met the requirement.  

Note: results from quarterly external vulnerability scans may also be required by acquirers and payment card brands as part of an entity’s annual compliance validation. Entities should contact their acquirer (merchant bank) and/or the payment brands directly to understand their reporting requirements for external scans.

(Note: PCI DSS Requirement numbers refer to PCI DSS version 3)
May 2014
Article Number: 1152