PCI DSSRequirement 6.3.1requires entities toassign a risk rankingto vulnerabilities (e.g., high, medium, low) to ensure thatremediation efforts are prioritised. This risk-based approach helps organisations focus resources where they are most needed.

Option A:❌Incorrect. Timeframes depend on the severity and internal policy, not always 30 days.

Option B:❌Incorrect. Risk ranking supports remediation but doesn’t replace scanning.

Option C:✅Correct. The purpose is toprioritise higher-risk itemsfor faster action.

Option D:❌Incorrect. Patch frequency is addressed elsewhere (Requirement 6.3.3).