According to requirement 11.2.2, how often must external vulnerability scans be performed by an Approved Scanning Vendor (ASV)?

Unlock all questions

This demo includes only 20 questions. Upgrade to access hundreds of questions, flashcards, exam simulations, and disable ads.

Full question bankExam simulationsFlashcards
From $9.99Unlock all

Prepare for the PCI Approved Scanning Vendor (ASV) Test. Study with flashcards, multiple choice questions, hints, and explanations. Get exam ready!

Multiple Choice

According to requirement 11.2.2, how often must external vulnerability scans be performed by an Approved Scanning Vendor (ASV)?

Explanation:
External vulnerability scans must be done by an Approved Scanning Vendor on a regular, externally facing basis and whenever the network changes. The important point is that these scans are required at least quarterly to catch newly disclosed vulnerabilities and changes in the threat landscape that could affect systems reachable from the internet. In addition, after any significant change to the network—such as adding a new web server, deploying a payment page, altering firewall rules, or reconfiguring network segments—the attack surface can shift, and a fresh scan is needed to verify that new or altered components don’t introduce exploitable weaknesses. An ASV provides standardized, PCI-approved scanning methods and reporting, ensuring the scan results are credible and can be shared with assessors or banks. That combination of quarterly cadence plus re-scanning after meaningful changes is why the correct requirement is quarterly and upon significant changes.

External vulnerability scans must be done by an Approved Scanning Vendor on a regular, externally facing basis and whenever the network changes. The important point is that these scans are required at least quarterly to catch newly disclosed vulnerabilities and changes in the threat landscape that could affect systems reachable from the internet. In addition, after any significant change to the network—such as adding a new web server, deploying a payment page, altering firewall rules, or reconfiguring network segments—the attack surface can shift, and a fresh scan is needed to verify that new or altered components don’t introduce exploitable weaknesses. An ASV provides standardized, PCI-approved scanning methods and reporting, ensuring the scan results are credible and can be shared with assessors or banks. That combination of quarterly cadence plus re-scanning after meaningful changes is why the correct requirement is quarterly and upon significant changes.

More Multiple Choice Questions
Subscribe

Get the latest from Examzify

You can unsubscribe at any time. Read our privacy policy