After significant change, who should perform scans and rescans?

• A. Only automated scans.
• B. Scans should be performed by qualified personnel.
• C. Scans should be performed by end users.
• D. Scans should be performed by external auditors.

Answer: (B)

After a significant change, scans should be performed by qualified personnel because changes to the network or systems can introduce new vulnerabilities or misconfigurations that require expert setup, interpretation, and verification. A qualified person can ensure the scan scope and tool configuration are correct, accurately interpret findings, and verify that remediation is effective before moving on. While automated scans play a role, they need supervision by someone with the right training to assess risk correctly and meet PCI requirements. End users typically lack the security expertise to conduct or interpret vulnerability testing, and while external auditors can perform assessments, the essential point is that the person performing the scans has the necessary qualifications.