The PCI DSS requires that different types of scans be performed, and at different intervals. Here we explain the difference between external vulnerability ASV scans, internal vulnerability scans, penetration tests, segmentation tests, and site integrity scans. It’s important to understand the differences between these scan types and the corresponding requirements of each:
Quarterly External Vulnerability Scans (Requirement 11.3.2) - Also known as ASV scans, these must be performed at least once every three months by an external scanning company that’s certified by the PCI Council as an Approved Scanning Vendor (ASV). These scans cannot be performed by an internal employee of your organization. All the external IP addresses for your location(s) should be included in these scan reports. The objective of this requirement is to identify any vulnerabilities that may exist on your systems that could potentially be exploited by an attacker from the internet. All vulnerability scans performed by ServerScan are ASV-certified and satisfy this PCI DSS requirement.
Quarterly Internal Vulnerability Scans (Requirement 11.3.1) – As the name implies, internal vulnerability scans need to be performed at least once every three months from inside your network(s). After March 31, 2025, the PCI DSS (Version 4) requires that these internal scans be “authenticated” scans. These scans can be performed by any individual who is experienced in vulnerability scanning. Most organizations use an internal employee to perform these scans with an automated vulnerability scanning solution. We don’t provide this service as it is usually a task that our clients prefer to handle on their own using commercially available vulnerability scanning software. The purposeof this requirement is to identify any vulnerabilities that could be exploited by an attacker from inside your network. At a minimum, any “high risk” vulnerabilities must be resolved and verified by rescan reports.
Annual Penetration Testing (Requirement 11.4)- These comprehensive tests must be performed at least once a year by a qualified penetration tester to verify that complex manual methods cannot be used to gain unauthorized access to your systems. Penetration tests are usually performed by a third party, but may also be performed by a qualified internal individual with organizational independence; this means that the person performing the penetration test should not be the same person with responsibility for configuring or managing the systems being tested. Penetration testing should be performed both from a public perspective (from the internet) and from an internal perspective (such as from your out-of-scope networks, if applicable). Penetration tests performed by ServerScan can be used to satisfy this requirement.
Segmentation Testing (Requirement 11.4.5 and 11.4.6) – Segmentation Tests are specialized internal penetration tests that are required of organizations that use segmentation to completely isolate their cardholder data environment networks from other internal networks. Segmentation tests verify that no access is allowed from out-of-scope networks to in-scope networks. Segmentation tests must be performed annually for merchants and every six months for service providers. Segmentation penetration tests performed by ServerScan satisfy this requirement.
Site Integrity Monitoring (Requirement 11.6) - As of PCI DSS Version 4, public facing applications must further be monitored for unauthorized changes with a tamper-detection mechanism that alerts personnel of any unauthorized modification to HTTP headers and the contents of payment pages as received and loaded by the customer’s browser. This includes any scripts that may load from third-parties. ServerScan will soon be launching a solution that can be leveraged to satisfy this requirement. We are excited to begin offering this service in the next couple of months. Contact our support team for details.