GRCWatch
Sign inStart free trial

PCI DSS 11.3.1.1: Perform Internal Authenticated Scanning

Internal authenticated scanning is a critical PCI DSS requirement that validates your security posture from within your network. This control ensures you're detecting vulnerabilities that only authenticated users can access. Implementing proper authenticated scanning practices is essential for maintaining PCI compliance and reducing breach risk.

What this means

Authenticated scanning involves running vulnerability assessments with valid user credentials from inside your network environment. Unlike unauthenticated scans that test external attack surfaces, authenticated scans log in with real user accounts to identify deeper system vulnerabilities, misconfigurations, and security gaps that attackers could exploit after gaining initial access.

How to comply

  1. 1.Establish dedicated scanning accounts with appropriate permissions across all systems in scope for PCI compliance
  2. 2.Configure vulnerability scanning tools to perform authenticated scans using these accounts regularly
  3. 3.Schedule scans at least quarterly or whenever significant system changes occur
  4. 4.Document all scan configurations, including credentials management and scope definitions
  5. 5.Review and validate scan results to identify false positives and confirm remediation of actual vulnerabilities
  6. 6.Maintain scan logs and reports as evidence of compliance efforts
  7. 7.Ensure scanning activities don't interfere with production system performance

Evidence auditors look for

  • Vulnerability scan reports showing authenticated access and internal network coverage
  • Scan configuration documentation detailing credentials used and systems scanned
  • Quarterly scan execution logs with timestamps and scope confirmation
  • Vulnerability remediation tickets and closure verification
  • Network diagrams showing all systems within PCI scope that were scanned
  • Scanning tool access logs proving authenticated sessions were used

Frequently asked questions

When will FAQs be available?

The FAQ for this control is currently being prepared.

GRCWatch automates authenticated vulnerability scan scheduling and result aggregation across your PCI scope, eliminating manual coordination and ensuring quarterly scans never slip past deadline.

See how GRCWatch handles this control automatically

Start free trial

Related controls

PCI DSS 11.2.2 — Vulnerability ScanningPCI DSS 11.3 — External Penetration TestingPCI DSS 6.2 — Security Configuration StandardsPCI DSS 10.2 — Audit Trails