GRCWatch
Sign inStart free trial

PCI DSS 11.3.2: Internal Vulnerability Scans Explained

Internal vulnerability scans are a cornerstone of PCI DSS compliance, helping you identify security weaknesses before attackers do. Control 11.3.2 requires these scans to follow a defined methodology and regular schedule. Understanding the requirements—and automating them—is critical for maintaining compliance and protecting cardholder data.

What this means

Internal vulnerability scans must be conducted on your systems and network infrastructure using a consistent, documented methodology. This control ensures you proactively detect weaknesses like unpatched software, misconfigurations, weak credentials, and missing security controls. Scans should cover all systems connected to or supporting your cardholder data environment (CDE), including servers, workstations, databases, and network devices. The methodology must define scan scope, frequency, tools used, and how findings are remediated and verified.

How to comply

  1. 1.Document your vulnerability scan methodology including scope, frequency, tools, and procedures
  2. 2.Establish a baseline of your systems and network infrastructure that requires scanning
  3. 3.Select and configure vulnerability scanning tools appropriate for your environment
  4. 4.Run scans at least quarterly and after significant network or system changes
  5. 5.Document all scan dates, tools, and configurations used
  6. 6.Review and prioritize findings based on severity and risk
  7. 7.Develop remediation plans for identified vulnerabilities
  8. 8.Verify remediation through rescans and document resolution
  9. 9.Maintain records of all scans and remediation efforts for audit purposes

Evidence auditors look for

  • Documented vulnerability scan methodology and policy
  • Quarterly (or more frequent) scan reports with dates and tools used
  • Evidence of vulnerability database updates in scanning tools
  • Remediation plans for findings with assigned owners and due dates
  • Rescans confirming successful remediation of vulnerabilities
  • Management approval records for scan scope and methodology
  • Network diagrams showing systems included in scan scope
  • Change management records correlating scans to system modifications

Frequently asked questions

When will FAQs be available?

The FAQ for this control is currently being prepared.

GRCWatch automates vulnerability scan scheduling, aggregates results from your scanning tools, tracks remediation status, and generates audit-ready reports—eliminating manual coordination and ensuring you never miss a scan deadline.

See how GRCWatch handles this control automatically

Start free trial

Related controls

PCI DSS 11.2.1 - External Vulnerability ScansPCI DSS 11.2.2 - Remediation of External VulnerabilitiesPCI DSS 11.3.1 - Internal Vulnerability Scans ConfigurationPCI DSS 12.6.1 - Security Policy Implementation