By: PCIGuru

In reply to <a href="https://pciguru.wordpress.com/2009/03/08/vulnerability-scanning-and-penetration-testing/#comment-76578">Igor</a>. Category 2 or "Connected To" systems as the Council prefers them to be referred to are definitely in scope and must meet the same requirements as those in the cardholder data environment (CDE). Therefore, yes you need to vulnerability scan and penetration test the workstation or any workstation that accesses the Jump Server.