GRCWatch
Sign inStart free trial

PCI DSS 6.3.1: Identify and Manage Security Vulnerabilities

PCI DSS 6.3.1 requires organizations to systematically identify and manage security vulnerabilities using industry-recognized sources. This control is foundational to preventing exploits that could compromise cardholder data. For SMBs managing payment systems, establishing a robust vulnerability identification process directly reduces your breach risk.

What this means

This control mandates that your organization proactively identify new security vulnerabilities before attackers do. You must use industry-recognized vulnerability sources—such as CVE databases, vendor security bulletins, and security research feeds—combined with your own vulnerability management policy to stay current on emerging threats. The goal is continuous monitoring and rapid response, not one-time scanning.

How to comply

  1. 1.Document your vulnerability management policy that defines how vulnerabilities are identified, classified, and tracked
  2. 2.Subscribe to industry-recognized vulnerability databases and sources (NVD, CVE, vendor advisories, security feeds)
  3. 3.Conduct regular vulnerability scans of your cardholder data environment using automated tools
  4. 4.Review scan results and newly published vulnerabilities at least weekly to identify applicable threats
  5. 5.Establish a process to evaluate new vulnerabilities against your systems and determine severity
  6. 6.Create remediation timelines based on vulnerability severity and impact on cardholder data
  7. 7.Document all identified vulnerabilities, their status, and remediation efforts in a centralized register
  8. 8.Communicate vulnerability findings to relevant teams and track remediation to completion

Evidence auditors look for

  • Vulnerability management policy document with defined identification and escalation procedures
  • Subscriptions or access logs to CVE, NVD, vendor security advisory feeds, or commercial threat intelligence platforms
  • Automated vulnerability scan reports with timestamps showing regular scanning cadence (weekly or more frequent)
  • Vulnerability register/log capturing discovered vulnerabilities, dates identified, severity ratings, and remediation status
  • Evidence of review and evaluation of newly published CVEs against your environment within defined timeframes
  • Remediation tickets or change records linking identified vulnerabilities to patches or fixes applied

Frequently asked questions

When will FAQs be available?

The FAQ for this control is currently being prepared.

GRCWatch automatically centralizes vulnerability discovery from industry sources and your scans into one audit-ready register, eliminating manual tracking and ensuring no vulnerability is missed during your next assessment.

See how GRCWatch handles this control automatically

Start free trial

Related controls

PCI DSS 6.3.2 — Perform Vulnerability ScanningPCI DSS 6.2.4 — Security Testing of Custom CodePCI DSS 6.4 — Address Identified Vulnerabilities