By: Dominick Vitolo, VP of Security Services, MegaplanIT
As a Certified Qualified Security Assessor (QSA) company and a trusted Rapid7 partner, MegaplanIT is committed to guiding organizations through the complexities of compliance and security standards.
PCI DSS version 4.0 is a significant update on the horizon and is set to take effect March 31, 2025. One of the key changes around vulnerability scanning within this update is requirement 11.3.1.2. This new requirement mandates authenticated internal vulnerability scans.
Here, we’ll shed light on why organizations should immediately transition to authenticated vulnerability scanning and how Rapid7’s InsightVM can facilitate this essential change.
The Shift in PCI DSS 4.0
New Requirement 11.3.1.2
Under PCI DSS 4.0, requirement 11.3.1.2 introduces the need for authenticated internal vulnerability scans, marking a departure from the widely practiced unauthenticated scans.
Currently, many organizations rely on unauthenticated scanning which, while useful, offers limited visibility into system vulnerabilities. In previous versions the PCI DSS never specifically called out the need for authenticated vulnerability scanning internally, which led the requirement subject to interpretation.
This established procedure from retirement 11.3.1 remains applicable and is complemented by the new requirement mandating authenticated internal vulnerability scans.
Scans must be conducted at least every three months.All high-risk and critical vulnerabilities – as defined by the entity's own risk rankings established in Requirement 6.3.1 – must be remediated.Follow-up rescans are required to verify the resolution of these high-risk and critical vulnerabilities.The scanning tool used must be regularly updated with the latest vulnerability information.The scans must be carried out by qualified individuals, and there must be an organizational separation between the testers and the systems they are test ..Support the originator by clicking the read the rest link below.
