Question: Our cardholder data environment (CDE) resides in a private cloud with Amazon Web Services. One of our core applications in the CDE is not accessible to the public internet; however, we have a private circuit in place that allows two of our external partners to access the application. Having said this, I’d like to know whether or not we need to have an ASV scan this system.
Answer: Good question. PCI DSS Requirement 11.3.2 requires application-layer penetration testing of the internal and external (public and private) environment, so although this application isn’t publicly available to the Internet, if it is A) home grown and B) available to third parties, it should also be assessed via a penetration test.
Having said that, I would err on the side of conducting the scan, since the application (and, consequently, your CDE) is exposed to third parties.