Mandatory requirements around Scan & testing which has to be taken care .
1. Internal VA Scans
For all in Scope Systems, ex. Nessus
Quarterly
2. External ASV Scan
For Public interfaces of CDE , Ex. Qualys
Quarterly
3.Wireless Scan
If AWS & other PCI DSS DC provider are used it will be not applicable for customer , AWS & other SP might be covering this part already for customer under Infra /platform as a service .
Quarterly
4.Internal PT
Web & Network layer along with Segmentation test(half Yearly) .
Yearly
5.External PT
Both Web & Network layer test to be executed .
Yearly
6.Data Discovery Scan on CDE Server’s
Scan performed on CDE to show there is no CHD Data on other systems than what was defined to store such .
Yearly
Note :
All the above 4 Reports should be in good state .
· ASV Scan , PT - All High & medium Risk should be remediated . Retesting report required to prove the same .
· Internal Scan - All High to be remediated, rescan report/results required post remediation .
Comments