PCI DSS 11.3.2: Internal Vulnerability Scans Explained
Internal vulnerability scans are a cornerstone of PCI DSS compliance, helping you identify security weaknesses before attackers do. Control 11.3.2 requires these scans to follow a defined methodology and regular schedule. Understanding the requirements—and automating them—is critical for maintaining compliance and protecting cardholder data.
What this means
Internal vulnerability scans must be conducted on your systems and network infrastructure using a consistent, documented methodology. This control ensures you proactively detect weaknesses like unpatched software, misconfigurations, weak credentials, and missing security controls. Scans should cover all systems connected to or supporting your cardholder data environment (CDE), including servers, workstations, databases, and network devices. The methodology must define scan scope, frequency, tools used, and how findings are remediated and verified.
How to comply
- 1.Document your vulnerability scan methodology including scope, frequency, tools, and procedures
- 2.Establish a baseline of your systems and network infrastructure that requires scanning
- 3.Select and configure vulnerability scanning tools appropriate for your environment
- 4.Run scans at least quarterly and after significant network or system changes
- 5.Document all scan dates, tools, and configurations used
- 6.Review and prioritize findings based on severity and risk
- 7.Develop remediation plans for identified vulnerabilities
- 8.Verify remediation through rescans and document resolution
- 9.Maintain records of all scans and remediation efforts for audit purposes
Evidence auditors look for
- Documented vulnerability scan methodology and policy
- Quarterly (or more frequent) scan reports with dates and tools used
- Evidence of vulnerability database updates in scanning tools
- Remediation plans for findings with assigned owners and due dates
- Rescans confirming successful remediation of vulnerabilities
- Management approval records for scan scope and methodology
- Network diagrams showing systems included in scan scope
- Change management records correlating scans to system modifications
Frequently asked questions
When will FAQs be available?
The FAQ for this control is currently being prepared.
GRCWatch automates vulnerability scan scheduling, aggregates results from your scanning tools, tracks remediation status, and generates audit-ready reports—eliminating manual coordination and ensuring you never miss a scan deadline.
See how GRCWatch handles this control automatically
Start free trial