An internally vulnerability scan is normally performed by an automated tool. There are many on the market including both FOSS and commercial software. If you don’t know where to start looking then the list of Approved Scanning Vendors (ASVs) on the PCI website is a good place to start. You don’t have to use an ASV for the internal scan but they will certainly have products that can help you.

An internal vulnerability scan will normally be run from a console which has access to the internal environment. It will start off with network probes and work its way up the stack depending on what it finds. Given it is an automated scan, don’t expect it to provide the same level of detail as a targeted penetration test but it is a good start to see where your security is.

It would be quite unusual to write your own vulnerability scanner as it requires specialist knowledge of networks, operating systems and applications as well as security vulnerabilities. And it needs to be kept up to date as new vulnerabilities in the stack are found. If you have all of these skills then there are probably jobs out there for you with one of the commercial companies!