PCI Requirement 11.2 – Run Internal and External Vulnerability Scans at Least Quarterly and After Any Significant Change in the Network 

by Randy Bartels / June 5th, 2018

Running Network Vulnerability Scans

PCI Requirement 11.2 requires that organizations run internal and external network vulnerability scans at least quarterly and also after any significant change in the network. It’s crucial that vulnerability scans are performed by qualified personnel. Vulnerability scans are a combination of automated or manual tools and techniques ran against external and internal network devices and servers and are designed to expose potential vulnerabilities that could be exploited by attackers.

PCI Requirement 11.2 has three sub-requirements, including:

  • 11.2.1: Perform quarterly internal vulnerability scans. Address vulnerabilities and perform rescans to verify that all high risk vulnerabilities are resolved in accordance with the organization’s vulnerability ranking, per PCI Requirement 6.1.
  • 11.2.2: Perform quarterly external vulnerability scans, via an Approved Scanning Vendor (ASV) approved by the PCI SSC. Perform rescans as needed, until passing scans are achieved.
  • 11.2.3: Perform internal and external scans, and rescans as needed, after any significant change, such as after new system component installations, changes in network topology, firewall rule modifications, product upgrades, etc.

PCI Requirement 11.2 has several requirements around vulnerability identification, and from a high-level perspective, we are going to be performing internal and external scans. We are also going to be performing scans any time that we have made a change within the environment. We’ll talk about these in detail in the next set of requirements.