“Ask the QSA”
Question: We achieved our SAQ-D in August 2014. We just had some quarterly scans executed and need to remediate two vulnerabilities. Are we now not PCI compliant because some vulnerabilities came up and we are resolving them?
Answer: PCI compliance is structured around a series of controls integrated purposely to make compliance a continual process to maintain. If you fail a control during the year between assessments, as long as you detect the vulnerability, respond, and improve processes so that the likelihood of it occurring again is reduced, you are still compliant with PCI requirements. If you do not respond and remediate those vulnerabilities, you would then be in non-compliance with PCI requirements.
In your circumstance, organizations discover failing vulnerabilities quite a lot due to a whole variety of reasons. As long as you identify the vulnerabilities in a timely manner (which you have), remediate the vulnerabilities (which you say you are), and put measures in place to prevent those vulnerabilities from resurfacing (as much as possible), then you are still in compliance with PCI. You will need to perform another scan to ensure the findings have indeed been closed and to use for your 2015 compliance initiative.
Subscribe to this blog for additional payment security tips.