[PCI DSS 1.x] 11.2 Run internal and external network vulnerability scans at least quarterly and after any signific

11.2.a Inspect output from the most recent four quarters of network, host, and application vulnerability scans to verify that periodic security testing of the devices within the cardholder environment occurs. Verify that the scan process includes rescans until .clean. results are obtained
11.2.b To verify that external scanning is occurring on a quarterly basis in accordance with the PCI Security Scanning Procedures, inspect output from the four most recent quarters of external vulnerability scans to verify that

  • Four quarterly scans occurred in the most recent 12-month period
  • The results of each scan satisfy the PCI Security Scanning Procedures (for example, no urgent, critical, or high vulnerabilities)
  • The scans were completed by a vendor approved to perform the PCI Security Scanning Procedures

Hello Everyone,

I had a quick questions. For external vulnerability scans I have a T1 with a /26, now I know which IP’s are alive on that network. My questions is do I need to have the entire /26 scanned or just the IP’s that I know are alive for a fact?