Relevant PCI DSS Requirement: Internal vulnerability scans are discussed under PCI DSS Requirement
11.3.1, which requires organizations to perform internal vulnerability scanning as part of their
regular vulnerability management process.
Frequency and Trigger for Internal Scans:
PCI DSS v4.0 explicitly states that internal vulnerability scans should be conducted at least quarterly
and after any significant change.
A "significant change" can include modifications such as infrastructure upgrades, addition of new
systems or software, and configuration changes that may impact security.
Approved Scanning Vendor (ASV):
Internal scans do not require an Approved Scanning Vendor (ASV). ASVs are specifically used for
external vulnerability scans.
Qualified Security Assessor (QSA) Involvement:
QSAs are not mandated to perform internal scans. Organizations can use internal teams or trusted
third-party resources for this purpose, provided the scans meet PCI DSS criteria.
Annual Scanning Misconception:
While annual compliance reports may include details of scanning activities, the requirement for
internal scans is at least quarterly and event-triggered, not annually.
Reference Verification:
Requirement 11.3.1 (PCI DSS v4.0): Clearly outlines the need for quarterly scans and post-significant-
change scans.
ROC and SAQ Templates: Reinforce the requirement that scans are both regular and reactive to
environmental changes.
