This requirement is detailed in the PCI DSS Requirement #11.2.1/11.2.3, which describes the testing procedures for internal vulnerability assessments. These assessments must be performed quarterly and after any significant change by qualified internal or external experts, Quilter said.
“I wanted to make sure that the word is getting our for people to pay more attention to internal focus on scanning”, he told Infosecurity.
The internal vulnerability assessment requirement is contained in PCI DSS version 2.0, which was released on January 1 of this year. There were a number changes that were considered "best practices" for the first six months over PCI DSS 2.0, but would become requirements on June 30, including the internal scanning.
“PCI is trying to have more rigor involved in internal scanning over time, which is what they did earlier with external scanning”, Quilter said. “The big change is around having the merchants set their own process for determining the risk associated with a particular vulnerability”, he added.
To obtain a passing grade, the merchants must resolve all “high” vulnerabilities defined in PCI DSS Requirement #6.2, which directs merchants to “establish a process to identify and assign a risk ranking to newly discovered security vulnerabilities.”
In a blog on the topic, Quilter explained: “The key aspect of PCI Requirement #6.2 is that you have a list of vulnerabilities that you (and your organization) have ranked according to your own process. Then you need to leverage these risk rankings in your vulnerability assessment against your internal IP address space. This will allow you to produce a report that shows a passing scan against your internal scope based on the risk rankings of vulnerabilities you have specified.”
Quilter stressed that beginning June 30, internal scanning must performed quarterly and after any significant change to the environment.
“This will mean that you will want to make sure that however you are assigning risk rankings and using risk rankings in concert with your vulnerability assessment tool, it is simple and repeatable. The ability to automatically produce an internal assessment report quarterly and after any change is a critical component of maintaining your PCI compliance”, he wrote.
Quilter advised merchants to have a "structured approach for dealing with PCI DSS changes, involving stakeholders, evaluating their impact, and planning controls to close gaps. This will help make any security program resilient to environmental and regulatory changes and ensure that the organization can maintain PCI compliance.”