PCI Requirement 11.2.3 – Perform Internal and External Scans, and Rescans as Needed, After Any Significant Change

by Randy Bartels / June 5th, 2018

Significant Changes in Your Cardholder Data Environment

PCI Requirement 11.2.3 requires that any time that you have made a significant change in your environment, whether it be internal or external, you run a vulnerability scan. A significant change could be something like new system component installations, changes in network topology, firewall rule modifications, or product upgrades, but what constitutes a significant change depends on the configuration of your environment. A good baseline for what constitutes a significant change may be if the change could allow access to cardholder data or impact the security of the cardholder data environment.

The PCI DSS explains, “Scanning an environment after any significant changes are made ensures that changes were completed appropriately such that the security of the environment was not compromised as a result of the change. All system components affected by the change will need to be scanned.”

To verify compliance with PCI Requirement 11.2.3, an assessor will examine your change control documentation and compare it to your vulnerability scan reports, and also validate that your scans were performed by qualified individuals.

PCI Requirement 11.2.3 requires that any time that you have made a significant change in your environment, whether it be internal or external, you run a scan. This particular scan can be run by an internal resource, but they do have to have some organizational independence and must know what they’re doing. For example, it can be an ASV that is performing that, but it does not have to be.

What the assessors are going to be doing, or what they should be doing, is going back and asking for a series of change controls. Subsequent to that, they should be asking for the subsequent scan that represents that changes that you have made and that they did not introduce any vulnerabilities into your environment. PCI Requirement 11.2.3 is not based on quarters, it may be based on an event.