PCI DSS Requirements 11.2 and 11.3 address internal and external vulnerability scans and penetration testing respectively, including that they need to be performed after a significant change to the environment. The PCI DSS guidance column provides additional direction on the intent of these requirements, including that determination of a significant change will vary for each environment. Generally, changes affecting access to cardholder data or the security of the cardholder data environment could be considered significant. Examples of a significant change may include network upgrades, additions or updates to firewalls or routing devices, upgrades to servers, etc.

Performing vulnerability scans after a significant change provides assurance that the change has not introduced vulnerabilities to the environment, and penetration tests provide assurance that the security controls are still working effectively after the upgrade or modification.