Hello,

can you please help me with short question. Let´s imagine, we have merchant and it owns fe. 500 point-of-sale terminals connected to authorisation centre by means of internet. That means They have active IP adresses (hope so:)). Does it mean, that PCI quaterly vulnerability scan needs to be perform for all mentioned POS terminals or there is some limitation ?

Thank you very much for the answer.

Martin,
Prague

Under PCI DSS v1.2, merchants and processors are required to conduct external and internal vulnerability scans at least quarterly and whenever significant changes to the network or applications of all devices and applications that process, store or transmit cardholder data (CHD). Also under v1.2, they are required to conduct external and internal penetration testing at least annually and whenever significant changes to the network or applications of all devices and applications that process, store or transmit CHD.

So, under your scenario, you will be required to conduct such testing of the firewalls, routers and the POS terminals as they all transmit CHD and the POS terminals, at a minimum, process CHD.