In a website posting yesterday, Visa clarified on their Merchants page the requirements around quarterly network scans. From their site….
The Quarterly Network Security Scan is an automated tool that checks systems for vulnerabilities. It conducts a non-intrusive scan to remotely review networks and Web applications based in the externally-facing Internet Protocol (IP) address provided by the merchant. Acquirers are responsible for ensuring that the quarterly network security scans required of their levels 1, 2, and 3 merchants are performed by an Approved Scanning Vendor. The Quarterly Network Security Scan is applicable to merchants with externally-facing IP addresses as specified by their acquirer. Quarterly Network Security Scans are not required of merchants that do not have externally-facing IP addresses.
We’ve had some questions around quarterly scans recently, so thanks for the clarification!
Possibly Related Posts:
- PCI DSS 4.0 Released plus BOOK DETAILS!
- PCI Council Loses $600K in Revenue, PO Population on the Decline
- Why PCI DSS 4.0 Needs to be a Complete Rewrite
- Orfei Steps Down
- Should you be a PCI Participating Organization?