In a recent question to the PCI DSS Guru, David asked:

“In PCI DSS Vulnerability Scanningyou mention in the audit section that all high vulnerabilities must be addressed. Is this the external scan only, or do all internal scan highs also need to be addressed. We have many layers including a WAF to protect from the outside.”

The bottom line, David, is that yes, you must remediate all high vulnerabilities identified in the internal scan.  For verification of this, see the audit procedure that a QSA will follow when determining whether you comply with PCI DSS requirement 11.2.1.b.  It reads:

Review the scan reports and verify that the scan process includes rescans until all “high-risk” vulnerabilities as defined in PCI DSS Requirement 6.1 are resolved. 

This is written in a very clear-cut manner.  You must remediate those vulnerabilities in order to meet the letter and intent of the requirement.  If you have difficulty meeting this requirement, you may consider applying for a compensating control, but this is subject to the review and approval of your assessor.  To be an acceptable compensating control, the measure(s) you put in place must satisfy three tests:

1. They must meet the intent and rigor of the requirement that you are compensating for.

2. They must mitigate the same risk.

3. They must be “above and beyond” other PCI DSS requirements.

If you are using a web application firewall to satisfy PCI DSS requirement 6.6, attempting to use the WAF as a compensating control for vulnerability remediation would most likely fail the third test.