>myctrl.tools
Preferences
Under active development Content is continuously updated and improved
Compare

11.3.2External vulnerability scans are performed as follows: At least once every three months.

>Requirement Description

External vulnerability scans are performed as follows: At least once every three months. By a PCI SSC Approved Scanning Vendor (ASV). Vulnerabilities are resolved and ASV Program Guide requirements for a passing scan are met. Rescans are performed as needed to confirm that vulnerabilities are resolved per the ASV Program Guide requirements for a passing scan. Applicability Notes For the initial PCI DSS assessment against this requirement, it is not required that four passing scans be completed within 12 months if the assessor verifies: 1) the most recent scan result was a passing scan, 2) the entity has documented policies and procedures requiring scanning at least once every three months, and 3) vulnerabilities noted in the scan results have been corrected as shown in a re-scan(s). However, for subsequent years after the initial PCI DSS assessment, passing scans at least every three months must have occurred. ASV scanning tools can scan a vast array of network types and topologies. Any specifics about the target environment (for example, load balancers, third-party providers, ISPs, specific configurations, protocols in use, scan interference) should be worked out between the ASV and scan customer. Refer to the ASV Program Guide published on the PCI SSC website for scan customer responsibilities, scan preparation, etc.

>Cross-Framework Mappings

NIST CSF 2.0

via NIST OLIR Catalog
DE.CM-09
Compare
GV.OV-03
Compare
ID.IM-03
Compare
ID.RA-01
Compare
ID.RA-06
Compare

SCF

VPM-01.1
Compare
VPM-02
Compare
VPM-06
Compare
VPM-06.6
Compare

Ask AI

Configure your API key to use AI features.