PCI DSS 11.3.2.1: Rescan After Significant Internal Changes
Significant internal changes create new vulnerability windows—and PCI DSS 11.3.2.1 requires you to rescan immediately after they occur. This control closes the gap between change and detection, preventing attackers from exploiting newly introduced weaknesses. Without a documented rescan process tied to your change management system, you risk audit findings and undetected compromise.
What this means
This control mandates that your organization performs internal vulnerability scans following any significant change to your cardholder data environment (CDE). 'Significant changes' include infrastructure upgrades, application patches, system reconfigurations, security tool updates, or any modification that could introduce new vulnerabilities. The scan must happen within a defined timeframe post-change and results must be documented and remediated before systems return to production.
How to comply
- 1.Define 'significant change' in writing—identify which changes trigger rescan obligations (OS patches, hardware additions, application deployments, network reconfigurations, etc.)
- 2.Integrate vulnerability scanning into your change management process so scans are automatically scheduled when changes are approved
- 3.Document the time window for post-change scans (e.g., within 24-48 hours) and ensure tools are configured to run without manual delays
- 4.Execute internal vulnerability scans after each significant change using authenticated, credentialed scanners
- 5.Review scan results promptly, assign remediation owners, and track remediation completion before change sign-off
- 6.Maintain a log linking each change request to its corresponding vulnerability scan report and remediation evidence
- 7.Retain all scan reports and change documentation for your annual audit and demonstrate the cause-and-effect relationship between change and scan
Evidence auditors look for
- Change management records showing 'Vulnerability Scan Required' as a mandatory post-change step
- Vulnerability scan reports dated immediately after change implementation with scan scope and findings
- Remediation tracking logs showing vulnerabilities identified post-change and their closure before production release
- Policy documentation defining which change types require rescans and acceptable timeframes
- Automated scan scheduling configurations linked to change approval workflows
- Audit trail from your scanner showing scans triggered by change events rather than manual initiation
Frequently asked questions
When will FAQs be available?
The FAQ for this control is currently being prepared.
GRCWatch automates post-change vulnerability scan scheduling and correlates scan results to specific changes, eliminating manual tracking and ensuring rescan compliance within your defined windows—transforming this control from a checklist item into an auditable, continuous process.
See how GRCWatch handles this control automatically
Start free trial