During initial PCI DSS compliance, which statement about quarterly vulnerability scans is true?

Unlock all questions

This demo includes only 20 questions. Upgrade to access hundreds of questions, flashcards, exam simulations, and disable ads.

Full question bankExam simulationsFlashcards
From $9.99Unlock all

Study for the PCI Data Security Standard Exam. Master your knowledge with interactive flashcards and multiple-choice questions, each with hints and explanations. Prepare confidently for your certification test!

Multiple Choice

During initial PCI DSS compliance, which statement about quarterly vulnerability scans is true?

Explanation:
The key idea is that during the initial PCI DSS assessment, what matters is showing an active vulnerability management process and the ability to remediate findings, not waiting for a perfect history of scans. The statement that the assessor may allow initial compliance if the most recent scan passed, there are documented quarterly scanning policies, and vulnerabilities have been remediated in follow-up scans captures this approach. It acknowledges that you have ongoing processes (policies) and that remediation is being tracked, with the latest scan confirming no current critical gaps, while still allowing some vulnerabilities to be addressed in subsequent scans. Four consecutive quarterly scans must pass for initial compliance isn’t correct because initial compliance doesn’t require a perfect multi-quarter pass history up front; it centers on having the processes and the most recent scan evidence plus remediation plans. Saying quarterly internal scans are not required is false because internal vulnerability scanning is a core part of PCI DSS 11.2. External scans being optional during initial compliance is also false since external vulnerability scans (by an ASV) are a required element of PCI DSS.

The key idea is that during the initial PCI DSS assessment, what matters is showing an active vulnerability management process and the ability to remediate findings, not waiting for a perfect history of scans. The statement that the assessor may allow initial compliance if the most recent scan passed, there are documented quarterly scanning policies, and vulnerabilities have been remediated in follow-up scans captures this approach. It acknowledges that you have ongoing processes (policies) and that remediation is being tracked, with the latest scan confirming no current critical gaps, while still allowing some vulnerabilities to be addressed in subsequent scans.

Four consecutive quarterly scans must pass for initial compliance isn’t correct because initial compliance doesn’t require a perfect multi-quarter pass history up front; it centers on having the processes and the most recent scan evidence plus remediation plans.

Saying quarterly internal scans are not required is false because internal vulnerability scanning is a core part of PCI DSS 11.2.

External scans being optional during initial compliance is also false since external vulnerability scans (by an ASV) are a required element of PCI DSS.

More Multiple Choice Questions
Subscribe

Get the latest from Examzify

You can unsubscribe at any time. Read our privacy policy