AnsweredAssumed Answered

PCI Remediation timeframe

Question asked by Matt Clancy on Sep 14, 2011
Latest reply on Sep 15, 2011 by Bernie Weidel

For our ASV service when a customer has a PCI scan fail, do we require them to rescan all of the in-scope addresses or only the addresses that have PCI fail vulnerabilities?  I read the PCI ASV Program Guide and I wasn't sure how to interpret the requirement.  More importantly, I wasn't sure how our PCI service addresses this requirement.

 

ASV Program Guide v1.0 Page 25:

 

Resolving Failing Scans

For failing scans, the scan customer uses the following general process until all failing vulnerabilities are corrected and a passing scan is achieved:

  • Scan customer corrects noted failing vulnerabilities
    • Scan customer may seek help from the ASV or other security professional as needed to determine proper corrective actions.
  • Scan customer contacts ASV to initiate another scan
    • If passing scan is achieved, scan customer submits results according to "Compliance Reporting" section below.

For failing scans, scan customer repeats this "Resolving Failing Scans" section.

Outcomes