The current PCI DSS quarterly vulnerability scanning requirement is nothing short of ridiculous, given the fact that most operating system vendors and some application software providers release patches at least monthly, pens GuestView PCI Columnist Jeff Hall. (OK, it isn’t so ridiculous if your goal is to guarantee a constant security hole for the convenience of cyberthieves. For those of you whose goals are other than that, though….) When Visa published their Customer Information Security Program (CISP) back in 2002, they set the bar of quarterly vulnerability scanning because it was believed to be the most efficient and cost effective approach for providing security. This practice has continued unaltered even when the CISP was converted to the PCI DSS in 2007.
Over the past decade, Council officials, retail IT people and QSAs have begun to question the quarterly requirement, but the fear was that retailers would simply not do it, as they could never cost-justify it, particularly for Level 4 retailers. The council has always had a strong pragmatic nature, weighing the effectiveness of guidelines against what they could realistically hope for retailers to do.