GRCWatch
Sign inStart free trial

PCI DSS 11.3.1.3: Achieve Clean External Scan Results

External vulnerability scanning is your first line of defense against network threats—and a mandatory PCI DSS requirement. Control 11.3.1.3 demands that your organization maintain clean external scan results with no high-severity vulnerabilities (CVSS 4.0+). This control ensures your attack surface remains hardened and your cardholder data stays protected.

What this means

This control requires you to conduct regular external vulnerability scans of your network perimeter and achieve passing results with zero high-severity findings. A successful scan demonstrates that your publicly-facing systems—websites, APIs, mail servers, and other internet-connected assets—have no exploitable vulnerabilities that could lead to data compromise. The CVSS 4.0+ threshold focuses remediation efforts on threats with genuine attack potential, not minor issues.

How to comply

  1. 1.Engage a PCI-approved scanning vendor (ASV) to perform quarterly external vulnerability scans at minimum
  2. 2.Conduct scans against all systems with cardholder data connectivity or that support the CDE
  3. 3.Remediate all high-severity vulnerabilities (CVSS score 4.0 or higher) before the next scan cycle
  4. 4.Address medium and low-severity findings through risk-based prioritization aligned with your patch management policy
  5. 5.Maintain scan documentation including dates, scope, results, and remediation evidence
  6. 6.Perform rescans after remediation to validate that vulnerabilities have been eliminated
  7. 7.Schedule scans to run at least quarterly and after any significant network changes

Evidence auditors look for

  • Quarterly ASV scan reports with passing results and zero high-severity vulnerabilities
  • Vulnerability remediation tickets showing the patching or configuration changes applied
  • Rescan reports confirming successful closure of previously identified high-severity issues
  • ASV attestation letter documenting clean scan results and compliance with 11.3.1.3
  • Network change log showing relationship between infrastructure updates and scan dates
  • Risk assessment documentation for any medium-severity findings not immediately remediated

Frequently asked questions

When will FAQs be available?

The FAQ for this control is currently being prepared.

GRCWatch automates ASV scan scheduling, tracks remediation timelines, and aggregates scan results with remediation evidence to streamline your 11.3.1.3 compliance documentation and auditor reviews.

See how GRCWatch handles this control automatically

Start free trial

Related controls

PCI DSS 11.2.2 — Internal vulnerability scansPCI DSS 11.2.1 — Vulnerability scanning standardsPCI DSS 11.3.1 — External security testingPCI DSS 6.2 — Patch management program