How can vulnerability scanning tools help with PCI DSS compliance?

My company is looking at products to help with PCI DSS compliance. How do vulnerability scanning tools like Tenable's Nessus Cloud help enterprises achieve compliance? What PCI DSS requirements do they fulfill?

Nessus Cloud is one example of a vulnerability scanning vendor that offers external scanning services as a PCI DSS Approved Scanning Vendor. These vendors perform network-based vulnerability scans of card processing environments from their data centers without any special VPN connection. This provides scan results with an attacker's eye view of an organization's network from the internet.

The full text of the requirement for vulnerability scanning tools reads:

11.2.2 Perform quarterly external vulnerability scans via an Approved Scanning Vendor (ASV), approved by the Payment Card Industry Security Standards Council (PCI SSC).

While your company may meet the other internal scanning requirements of PCI DSS by using its own vulnerability scanning tools, this requirement clearly indicates that your company must use an outside vendor to perform the scans to fulfill this requirement. If your company is already using an internal scanning system that provides external scanning services, such as Nessus or Qualys, it may benefit from using the same vendor's service for external scans. This provides the operational efficiency of a single scanning platform and potential cost savings from bundling services together.

Ask the Expert:
Got a vexing problem for Mike Chapple or any of our other experts? Ask your enterprise-specific questions today. (All questions are anonymous.)