Frequently Asked Question
Can entities be PCI DSS compliant if they have performed vulnerability scans at least once every three months, but do not have four "passing" scans?
PCI DSS requires entities to perform internal and external vulnerability scans at least once every three months, identify and address vulnerabilities in a timely manner, and verify through rescans that vulnerabilities have been addressed. To achieve these objectives, an entity would need to show that "clean" or "passing" scans were performed at least once every three months for the previous four quarters, for both their external and internal environments. A "clean" or "passing" scan generally has the following characteristics:
- No configuration or software was detected that results in an automatic failure (such as the presence of default accounts and passwords, etc.)
- For external scans, no vulnerabilities with a score of 4.0 or higher on the Common Vulnerability Scoring System (CVSS)
- For internal scans, vulnerabilities are resolved by the entity according to PCI DSS Requirement 11.3.1.
With new vulnerabilities continually being identified, scanning becomes an integral part of an organization's vulnerability management process, resulting in a cycle of scanning, patching, and rescanning until a "clean" scan is obtained. However, due to the frequency of new vulnerabilities being identified, it may not always be possible to produce a single, clean scan at least once every three months. Take the example of an entity that performs a scan which identifies several vulnerabilities. The entity then fixes all the identified vulnerabilities and performs a rescan to verify. The rescan shows that the vulnerabilities identified in the first scan have been addressed, but new vulnerabilities that were not present in the original scan have since appeared. In this case, instead of having a single, environment-wide scan report, an entity may verify they have met the scanning requirements through a collection of scan results which together show that all required scans are being performed, and that all applicable vulnerabilities are being identified and addressed at least once every three months.
To verify that the requirement to perform vulnerability scans at least once every three months has been met, the following should occur:- Scans of all in-scope systems are performed at least once every three months, and all in-scope systems are covered by the entity's scan-remediate-rescan processes.
- Rescans are performed as necessary and show that vulnerabilities identified in the initial scans have been remediated, for all affected systems, as part of that period's scanning process.
- The entity has processes in place to remediate currently identified vulnerabilities.
- Repeated failing scans are not the result of poor remediation practices resulting in previously identified vulnerabilities not being properly addressed.
If, however, an entity does not have four passing scans for the last 12 months, performed at least once every three months, because they didn't schedule the scans properly, or the scans are incomplete, or the identified vulnerabilities have not been addressed from one period to the next, then the entity has not met the requirement.
Note: results from external vulnerability scans may also be required by acquirers and payment card brands as part of an entity's annual compliance validation. Entities should contact their acquirer (merchant bank) and/or the payment brands directly to understand their reporting requirements for external scans.
Related
-
What evidence is a TPSP expected to provide to customers to demonstrate PCI DSS compliance?
-
Does PCI SSC consider guidance from other standards organizations when making updates to PCI standards?
-
If an organization provides software or functionality that runs on a consumer's device (for example, smartphones, tablets, or laptops) and is used to accept payment account data, can the organization store card verification codes for those consumers?
Featured FAQ Articles
Featured
-
Do PCI DSS requirements for keyed cryptographic hashing apply to previously hashed PANs?
-
Is the PCI DSS Attestation of Compliance intended to be shared?
-
How does an entity report the results of a PCI DSS assessment for new requirements that are noted in PCI DSS as best practices until a future date?
-
Where do I direct questions about complying with PCI standards?
-
Can SAQ eligibility criteria be used for determining applicability of PCI DSS requirements for assessments documented in a Report on Compliance?
Most Popular
-
What evidence is a TPSP expected to provide to customers to demonstrate PCI DSS compliance?
-
Does PCI SSC consider guidance from other standards organizations when making updates to PCI standards?
-
If an organization provides software or functionality that runs on a consumer's device (for example, smartphones, tablets, or laptops) and is used to accept payment account data, can the organization store card verification codes for those consumers?
-
Do PCI DSS requirements for keyed cryptographic hashing apply to previously hashed PANs?
-
Can a compensating control be used for requirements with a periodic or defined frequency, where an entity did not perform the activity within the required timeframe?
Most Recently Updated
-
Where can I find the current version of PCI DSS?
-
Why are there multiple PCI DSS Self-assessment Questionnaires (SAQs)?
-
What is a PCI DSS Self-Assessment Questionnaire?
-
Are Mobile Payments on COTS (MPoC) solutions, Software-based PIN Entry on COTS (SPoC)™ solutions, or Contactless Payments on COTS (CPoC™) solutions eligible for a P2PE Solution approval?
-
How can an entity meet PCI DSS requirements for PAN masking and truncation if it has migrated to 8-digit BINs?