A significant change triggers several required action for PCI DSS compliance.
|PCI DSS Requirement||Annual||Significant Change|
• Web application vulnerability security assessments, AND/OR
• Automated technical solution that detects and prevents web-based attacks, such as web application firewalls.
Include tests for the vulnerabilities in 6.5.1 to 5.5.10
|11.2 internal and external network vulnerability scans
(new and old components)
|11.3.1 external pen test||YES||YES|
|11.3.2 internal pen test||YES||YES|
|12.2 perform a risk assessment||YES||YES|
And if you are reading this past January 2018, don’t forget:
Requirement 6.4.6 Upon completion of a significant change, all relevant PCI DSS requirements must be implemented on all new or changed systems and networks, and documentation updated as applicable.
And if you are a designated entity required to complete appendix 3, there are other things you will have to do after a significant change.
What is a significant change in PCI DSS?
And if you are wondering what a significant change is, refer to the PCI DSS FAQ article 1317 from January 2015. Although the article specifically says that the definition is applicable to PCI DSS Requirements 11.2 and 11.3, I think it would be fine to stretch them for 6.6 and 12.2.
There is also some definitional help in the guidance section of requirement 11.3.1. But it all basically boils down to “it depends”. So this is definitely something that the QSA and the assessed entity should discuss.
Ad below this line: