What to do if your organization can’t demonstrate four passing PCI internal or external scans 

Blog Post created by dgodart on Sep 15, 2011

Two cases:

1) Your company is assessed for the first time:


Entities participating in their first ever PCI DSS assessment are only required to demonstrate that the most recent scan result meets the criteria for a passing scan, and there are policies and procedures in place for future quarterly scans, to meet the intent of this requirement. So to be compliant with 11.2 the first time you are assessed, you only need to demonstrate that the most recent scan is a PASS.


2) Reassessment (from the second year):


If an entity seeking reassessment does not have four quarterly passing scans but can demonstrate they have identified and addressed all vulnerabilities in a timely manner, the QSA may determine that the requirement has been met.


The presence of recurring scan failures may indicate weaknesses in other PCI DSS control areas, such as patching, penetration testing, change management,etc. In this case requirement 11.2 could be considered as not met.  


In the event that your organization cannot produce four passing scans, you must demonstrate that:

  • processes are in place to remediate vulnerabilities in a consistent and timely manner
  • rescans are performed as needed to achieve "clean" scans
  • all in-scope systems are covered by the entity's quarterly scan-and-remediate processes.


Didier Godart


Source: PCI Assessor newsletter August 11