Vulnerability scans are required at least once every three months and after a significant change. What is meant by “significant change” in PCI DSS?

Significant Change in PCI DSS

Defining a significant change is highly dependent on the configuration of your environment.

However, these activities are considered as “Significant Change” by PCI Council:

• New hardware, software, or networking equipment added to the CDE.
• Any replacement or major upgrades of hardware and software in the CDE.
• Any changes in the flow or storage of account data.
• Any changes to the boundary of the CDE and/or to the scope of the PCI DSS assessment.
• Any changes to the underlying supporting infrastructure of the CDE (including, but not limited to, changes to directory services, time servers, logging, and monitoring).
• Any changes to third party vendors/service providers (or services provided) that support the CDE or meet PCI DSS requirements on behalf of the entity.

Each of these activities, at a minimum, have potential impacts on the security of an entity’s cardholder data environment (CDE), and must be considered and evaluated to determine whether a change is significant for that entity and in the context of related PCI DSS requirements.