Vulnerability scans are required at least once every three months and after a significant change. What is meant by “significant change” in PCI DSS?
Significant Change in PCI DSS
Defining a significant change is highly dependent on the configuration of your environment.
However, these activities are considered as “Significant Change” by PCI Council:
- New hardware, software, or networking equipment added to the CDE.
- Any replacement or major upgrades of hardware and software in the CDE.
- Any changes in the flow or storage of account data.
- Any changes to the boundary of the CDE and/or to the scope of the PCI DSS assessment.
- Any changes to the underlying supporting infrastructure of the CDE (including, but not limited to, changes to directory services, time servers, logging, and monitoring).
- Any changes to third party vendors/service providers (or services provided) that support the CDE or meet PCI DSS requirements on behalf of the entity.
Each of these activities, at a minimum, have potential impacts on the security of an entity’s cardholder data environment (CDE), and must be considered and evaluated to determine whether a change is significant for that entity and in the context of related PCI DSS requirements.
Was this article helpful?
The PCI DSS compliance guide
Find a handy glossary and all PCI DSS rules in Adyen Docs.View compliance guide