The Payment Card Industry Data Security Standards (PCI DSS) requires the merchants dealing with credit card holder data to perform regular vulnerability scans, in order to keep their security flaws covered. Merchants often come with a question, "When do you need to run a PCI Scan?" the answer to this question is quite simple.

What are the Requirements of the PCI DSS for Vulnerability Scans?

In order to know when the PCI Scan is required, we should know about the PCI DSS requirements first. The PCI DSS requires merchants to run both "Internal and External" vulnerability scans, in order to keep the credit card holder information system up to current security standards.

External Scans: External scans should be conducted from the outside of the organization and must include all the external IP addresses. These scans will help you to know about vulnerabilities in your security system that might be breached by the hackers to get hold of the sensitive credit card holder data.

Internal Scans: Internal scans old ironside fakes  be performed from inside the organization's network from multiple locations to know about the security system within the card holder data environment.

These scans will point out flaws and will give you a review of your internal security that might get exploit by attackers, once they get their hands on it.

When is a PCI Scan required?

PCI scan must at least be performed on quarterly basis. To make the system extra secure the quarterly scans should be supplemented with scans in between quarters; other than this, it is necessary to perform scans whenever any changes are made to the card holder data system.

Can I Perform the Scans?

The answer to this question is both yes and no. You might be able to perform all the internal scans to meet the internal scan requirements; but the PCI DSS needs you to use Approved Scanning Vendor (ASV) for external scans. If you want to do internal scans on your own then do make sure that the scans are performed by qualified staff members; who are independent from the staff responsible for your security systems.

Every single merchant, apart from being of any merchant level, having an external IP address must go through vulnerability scans as guided above. This has become quite confusing in the security community and a lot of people believe that level 4 merchants (those processing less than 1,000,000 annual transactions) do not need to go through such scans. This is not true at all as charted in MasterCard's Site Data Protection program requirements and Visa's Card holder Information Security Program requirements.