FAQ #1317 Diff

What is a ?significant change? for PCI DSS Requirements 11.2 and 11.3?

Earlier Version
2015-01-28T00:00:00+00:00

Later Version
2023-04-03T22:22:00+00:00

Removed

Added

~~PCI DSS Requirements 11.2 and 11.3 address internal and external vulnerability scans and penetration testing respectively, including~~There are several PCI DSS requirements that ~~they need to~~specify performance upon a significant change in an entity's environment. While what constitutes a significant change is highly dependent on the configuration of a given environment, each of the following activities are included under "Significant Change" in the "Description of Timeframes Used in PCI DSS Requirements" section in PCI DSS v4.0:

New hardware, software, or networking equipment added to the CDE.
Any replacement or major upgrades of hardware and software in the CDE.
Any changes in the flow or storage of account data.
Any changes to the boundary of the CDE and/or to the scope of the PCI DSS assessment.
Any changes to the underlying supporting infrastructure of the CDE (including, but not limited to, changes to directory services, time servers, logging, and monitoring).
Any changes to third party vendors/service providers (or services provided) that support the CDE or meet PCI DSS requirements on behalf of the entity.

Each of these activities, at a minimum, have potential impacts on the security of an entity's cardholder data environment (CDE), and must be ~~performed after a~~considered and evaluated to determine whether a change is significant ~~change to the environment. The PCI DSS guidance column provides additional direction on the intent of these requirements, including~~for that determination of a significant change will vary for each environment. Generally, changes affecting access to cardholder data or the security of the cardholder data environment could be considered significant. Examples of a significant change may include network upgrades, additions or updates to firewalls or routing devices, upgrades to servers, etc.

Performing vulnerability scans after a significant change provides assurance that the change has not introduced vulnerabilities to the environment, and penetration tests provide assurance that the security controls are still working effectively after the upgrade or modification.entity and in the context of related PCI DSS requirements.

Disclaimer: This FAQ has been processed for display on this website and may contain errors. Please check the original FAQ on the PCI SSC website for the authoritative version.