The problem is that they have to scan your production environment, and if you don't have two of them, they you risk their scan destroying that environment. This is because you are allowed to instruct them not to exploit the vulnerabilities that they think they've found. If they were required to exploit vulnerabilities as part of the external scan, every company would need 1/3 more (assuming prod, test, dev environments) resources (ip addresses, hardware, software, etc) in order to allow one environment to be broken during the audit. If you want the cost of everything you buy to go up by 20% (before taxes), push for this change to PCI.
Biting the hand that feeds IT
