What is required for internal vulnerability scans in the quarterly cycle?

• A. Internal vulnerability scans must be performed quarterly and rescans until all high-risk vulnerabilities are resolved.
• B. Internal scans are optional.
• C. Only external scans are required.
• D. Remediation of vulnerabilities is not tracked.

Answer: (A)

Quarterly internal vulnerability scanning with verification through rescans until high-risk vulnerabilities are resolved is required. PCI DSS mandates internal scans on at least a quarterly basis and after significant changes, and it requires that identified vulnerabilities—especially high-risk ones—are remediated and verified by subsequent rescans. This ensures issues aren’t just identified but actually fixed and confirmed, with the remediation tracked to prevent lingering risk.

The other options don’t fit because internal scans aren’t optional, external-only scanning doesn’t cover internal risk, and remediation must be tracked to ensure vulnerabilities are closed.