Updated: Oct 6, 2020
Mandatory requirements around Scan & testing which has to be taken care .
1. Internal VA Scans
For all in Scope Systems, ex. Nessus
2. External ASV Scan
For Public interfaces of CDE , Ex. Qualys
If AWS & other PCI DSS DC provider are used it will be not applicable for customer , AWS & other SP might be covering this part already for customer under Infra /platform as a service .
Web & Network layer along with Segmentation test(half Yearly) .
Both Web & Network layer test to be executed .
6.Data Discovery Scan on CDE Server’s
Scan performed on CDE to show there is no CHD Data on other systems than what was defined to store such .
All the above 4 Reports should be in good state .
· ASV Scan , PT - All High & medium Risk should be remediated . Retesting report required to prove the same .
· Internal Scan - All High to be remediated, rescan report/results required post remediation .