Re: Start employing people who actually know what they're talking about
There's no PCI-DSS requirement to whitelist all ASV scanner traffic on your external firewalls. The only thing you need to whitelist is active/dynamic rules that change on the fly in response to behaviour (eg blocking an IP because a scan has been detected). External ASV scans just require the same access that an internet-based attacker would have - nothing more. In this case (based on the information provided), if no inbound traffic is permitted, there would be no reason to whitelist inbound traffic for the external scan.
Biting the hand that feeds IT
