In a website posting yesterday, Visa clarified on their Merchants page the requirements around quarterly network scans. From their site….

The Quarterly Network Security Scan is an automated tool that checks systems for vulnerabilities. It conducts a non-intrusive scan to remotely review networks and Web applications based in the externally-facing Internet Protocol (IP) address provided by the merchant. Acquirers are responsible for ensuring that the quarterly network security scans required of their levels 1, 2, and 3 merchants are performed by an Approved Scanning Vendor. The Quarterly Network Security Scan is applicable to merchants with externally-facing IP addresses as specified by their acquirer. Quarterly Network Security Scans are not required of merchants that do not have externally-facing IP addresses.

We’ve had some questions around quarterly scans recently, so thanks for the clarification!

This post originally appeared on BrandenWilliams.com.