What does PCI DSS Requirement 6.5.6 require you to address?

• A. All vulnerabilities irrespective of risk level
• B. All vulnerabilities identified by external scans
• C. All high risk vulnerabilities identified in the vulnerability identification process (as defined in PCI DSS Requirement 6.1)
• D. Only high risk vulnerabilities in production

Answer: (C)

The main idea here is prioritizing remediation based on risk as part of vulnerability management. PCI DSS requires you to establish a vulnerability identification process (6.1) that uses multiple sources and assigns risk to findings. Requirement 6.5.6 then specifies that you must address all vulnerabilities identified as high risk through that process. So the focus is not on fixing every vulnerability, nor only those found by external scans, nor only high-risk issues in production. It’s about timely remediation of all high-risk vulnerabilities identified by your defined vulnerability identification process. Low- or medium-risk findings may be managed per your policy, but the clause in question targets high-risk items identified by the process.