Identifying your IP addresses that need external vulnerability scanning performed by an Approved Scanning Vendor (ASV) for your compliance with requirement 11.2.2 of the PCI DSS.

If you are unsure which IP addresses to configure for ASV scanning, the following simple steps will help you to know which addresses you need to include:

  1. Identify all your locations where cardholder data is handled in any way on your network(s). If cardholder data is viewed, received, transmitted, or stored by any devices at a location then that location is in-scope for PCI DSS compliance. Potentially in-scope locations can include datacenters, offices, stores, call centers, and hosted server environments.
  2. Once you know which locations are in-scope, identify all the public IP addresses for those locations. The resulting list of IP addresses need to be scanned by an ASV for compliance with PCI DSS requirement 11.2.2. ASV scans are performed from a public perspective. In other words, ASV scans are only performed on public IP addresses regardless of the equipment you have inside your network (point-of-sale devices, database servers, web servers, workstations etc.)

Keep in mind that some locations only have a single public IP address while others have a range of public addresses. All your public IP addresses for in-scope locations must be scanned by an ASV at least quarterly and after all significant changes in order to be PCI complaint. If any failing findings are identified, the failing issues should be resolved and the scan repeated so that a passing scan report is obtained. Keep a copy of passing scan reports for a couple years so that you can provide them if requested for your PCI compliance.

Also note that internal scanning is a different requirement (11.2.1) of the PCI DSS. As the name implies, internal vulnerability scanning is performed from inside a network on internal IP addresses. In contrast to external scanning, internal scanning does not need to be performed by an ASV for PCI compliance. Therefore, most organizations choose to perform these internal scans on their own using an internal vulnerability scanning utility such as OpenVAS. Webservers, Email servers, VPN servers, and other similar devices are generally located on an internal network or DMZ with restricted public access. The services mapped to your external IP addresses will be analyzed by your ASV scans. Internal vulnerability scans also need to be run on these same devices to cover any services that are not publicly accessible.