PCI Requirement 11: Vulnerability Scans and Penetration Tests

A strong information security program must assume that vulnerabilities exist within your network, whether you are aware of them or not. Flaws in web servers, POS software, and operating systems provide gateways for attackers to infiltrate your environment. While patches and updates are vital, you cannot fix what you haven't identified.

Under PCI DSS 4.0, Requirement 11 mandates a proactive approach to finding these "holes" through two distinct but complementary methods: vulnerability scanning and penetration testing.

Vulnerability Scanning: The Automated Perimeter Guard

A vulnerability scan is a high-level, automated test that identifies known security weaknesses. These scans provide a broad overview of your security posture without attempting to exploit the findings.

External Scans: These must be performed at least quarterly by a PCI Approved Scanning Vendor (ASV). They target external-facing IPs and domains to find weaknesses accessible from the internet.
Internal Scans: Conducted from within your network, these look for vulnerabilities on internal hosts. Under PCI 4.0, these scans now require authenticated scanning, meaning the scanner must use credentials to see deeper into the system's configuration.

Expert Insight: In 2024, a record-breaking 40,009 new CVEs (Common Vulnerabilities and Exposures) were published. Because the threat landscape shifts daily, quarterly scans are the absolute minimum; many experts now recommend monthly scans.

Penetration Testing: The Human-Led Assault

While scans are automated and broad, a penetration test is a deep, manual dive. An ethical hacker (acting as a real-world adversary) attempts to exploit vulnerabilities to determine how far they can penetrate your defenses.

Key Requirements for Pen Testing:

Frequency: Must be performed at least annually and after any "significant change" (defined below).
Scope: Must cover the entire CDE (Cardholder Data Environment) perimeter and critical systems, including both the network and application layers.
Independence: The tester must be organizationally independent. While they can be an internal employee, they cannot be the same person who manages or configures the systems being tested.

Defining a “Significant Change”

PCI DSS 4.0 Requirement 11.3.2 mandates that new scans and pen tests occur whenever a "significant change" is made. Many organizations struggle to define this, but in a 2026 compliance landscape, the following are generally considered triggers:

Infrastructure Upgrades: Replacing a firewall, adding a new server, or migrating to a cloud-hosted environment.
Data Flow Changes: Any modification to how primary account numbers (PAN) are stored or transmitted.
New Software: Adding a new payment acceptance process or a major OS upgrade for CDE systems.
Boundary Shifts: Any change that alters the scope of the PCI assessment or the CDE perimeter.

Difference between penetration tests and vulnerability scans

As a review, vulnerability scanning, whether internal or external, is not the same as penetration testing.

Here are two big differences:

A vulnerability scan is automated, while a penetration test includes a live person actually digging into the complexities of your network.
A vulnerability scan only identifies potential vulnerabilities. During a penetration test the tester will verify the exploitability of the vulnerability and look to identify the root cause of the vulnerability that allows access to secure systems or stored sensitive data.

Vulnerability scans and penetration tests work together to encourage optimal network security. Vulnerability scans are great weekly, monthly, or quarterly insight into your network security, while penetration tests are a more thorough assessment of your overall information security posture.

Need help with finding vulnerabilities? Talk to us about vulnerability scanning and penetration testing so that you can become compliant with PCI Requirement 11!