Click here to visit Original posting
To remain PCI-compliant, I conduct quarterly security assessments of our infrastructure. This means external testing of our internet-facing PCI resources, using an approved scanning vendor (ASV), and what I call internal PCI full-population scans.
We do the external scanning every month, even though PCI requires only quarterly scanning. If there is a problem, I want to catch it sooner than two months or more after it first cropped up. And the frequency isn’t a problem, because conducting the scans is easy, even though I use three different ASVs.