[PCI DSS 1.x] 11.3 Perform penetration testing at least once a year and after any significant infrastructure or ap

11.3 Obtain and examine the results from the most recent penetration test to verify that penetration testing is performed at least annually and after any significant changes to the environment. Verify that any noted vulnerabilities were corrected. Verify that the penetration tests include:


11.3 c mentions that that scanning needs to be performed by a qualified internal resource - what constitutes “qualified”?

And secondly it says “if applicable, does organizational independance exist” - under what circumstances is organizational independance required?

Thanks in advance