For our ASV service when a customer has a PCI scan fail, do we require them to rescan all of the in-scope addresses or only the addresses that have PCI fail vulnerabilities? I read the PCI ASV Program Guide and I wasn't sure how to interpret the requirement. More importantly, I wasn't sure how our PCI service addresses this requirement.
ASV Program Guide v1.0 Page 25:
Resolving Failing Scans
For failing scans, the scan customer uses the following general process until all failing vulnerabilities are corrected and a passing scan is achieved:
- Scan customer corrects noted failing vulnerabilities
- Scan customer may seek help from the ASV or other security professional as needed to determine proper corrective actions.￼
- Scan customer contacts ASV to initiate another scan
- If passing scan is achieved, scan customer submits results according to "Compliance Reporting" section below.
For failing scans, scan customer repeats this "Resolving Failing Scans" section.