Frequently Asked Question

For vulnerability scans, what is meant by quarterly?

The intent of “quarterly” vulnerability scans, as defined in PCI DSS Requirement 11.2, is to have them conducted as close to three months apart as possible, to ensure vulnerabilities are identified and addressed in a timely manner. In order to meet this requirement, an entity is required to complete their internal and external scans, and perform any required remediation, every three months.

Three months, or 90 days, is considered the maximum amount of time that should be allowed to pass between quarterly vulnerability scans. If unforeseen circumstances occur that impact an entity’s ability to complete scheduled scans, every effort should be made to perform scans as soon as possible (for example, within a day or two) of the scheduled scan date. Where an entity has advance notice of factors that may delay scans or impede their ability to address vulnerabilities (for example, scheduled system downtime, or predefined no-change windows that prevent system updates), the entity should strive to schedule scans before the 90 day period is reached.

In the case of legitimate technical or documented business constraints, and where the entity has sufficiently implemented other controls to mitigate the risk associated with not meeting the requirement, the entity may use a Compensating Controls Worksheet to document how they have addressed the intent of Requirement 11.2. Please refer to Appendix B (Compensating Controls) and Appendix C (Compensating Controls Worksheet) for further information.

In addition to the quarterly scans, vulnerability scans are also required after significant changes (Requirement 11.2.3).  The occurrence of these scans is separate and independent of the quarterly scan schedule.  Scans that are performed to verify a significant change do not replace a quarterly scan, and the occurrence of a quarterly scan does not replace the requirement to perform scans after a significant change.

August 2017
Article Number: 1087