Can multiple scan reports be combined to show quarterly coverage?

• A. No combination is allowed.
• B. Only internal scans may be combined.
• C. Only external scans may be combined.
• D. Multiple scan reports can be combined to show that all systems were scanned and vulnerabilities addressed.

Answer: (D)

Vulnerability scanning for PCI DSS is evaluated over the quarter, not by a single scan. You can accumulate results from multiple scans conducted within that quarter to show that every in-scope system was scanned at least once and that any vulnerabilities found were addressed. The key idea is proving complete coverage across the quarter: all assets were scanned and remediation occurred by quarter’s end. This approach works for both internal and external scans, as long as the combined reports cover the entire scope and the remediation status is documented. If some asset wasn’t scanned at all during the quarter, aggregation wouldn’t satisfy the requirement, but when coverage is complete, combining scans is a valid way to demonstrate quarterly compliance.