Mandatory & Timely Risk Assessment & Management process requirement for PCI DSS Standards .

Mandatory requirements around Scan & testing which has to be taken care .

1. Internal VA Scans

For all in Scope Systems, ex. Nessus

Quarterly

2. External ASV Scan

For Public interfaces of CDE , Ex. Qualys

Quarterly

3.Wireless Scan

If AWS & other PCI DSS DC provider are used it will be not applicable for customer , AWS & other SP might be covering this part already for customer under Infra /platform as a service .

Quarterly

4.Internal PT

Web & Network layer along with Segmentation test(half Yearly) .

Yearly

5.External PT

Both Web & Network layer test to be executed .

Yearly

6.Data Discovery Scan on CDE Server’s

Scan performed on CDE to show there is no CHD Data on other systems than what was defined to store such .

Yearly

Note :

All the above 4 Reports should be in good state .

· ASV Scan , PT - All High & medium Risk should be remediated . Retesting report required to prove the same .

· Internal Scan - All High to be remediated, rescan report/results required post remediation .