PCI DSS 11.2 – Internal and external vulnerability assessment
Requirement 11.2 mandates that organisations run internal and external network vulnerability scans at least quarterly and after any significant change in the network (such as new system component installations, changes in network topology, firewall rule modifications, product upgrades).
For cost purposes, many SME’s assign the task of internal scanning (both quarterly and after significant changes) to a suitably qualified internal resource. It is required that this staff member is independent of the systems being tested (so IT admins should not be testing infrastructure they manage). It is recommended that the staff member has a qualification in this area such as:
• SANS 542, 560
• CREST certified tester
• Offensive Security Certified Professional (OSCP)
• Certified Ethical Hacker (CEH)
Quarterly external scans must be performed by an approved security vendor (ASV). A list of approved ASVs is outlined here ->
The cost of an ASV scan can vary dramatically depending on the vendor, the number of systems, the tools in use, the scope etc. It is possible for SME’s to purchase a quarterly scan from a qualified ASV in many cases for less than a thousand dollars. The annual penetration test required for PCI DSS (see 11.3) is typically more expensive for SMEs than the sum of the four required annual ASV scans. This is because there is more manual testing required for a penetration test than a vulnerability scan.
Typical tools used by internal resources for internal scans are:
• Nessus (www.tenable.com/)
• Qualys (www.qualys.com/)
• Nexpose (www.rapid7.com/products/nexpose/)