PCI DSS v4.0: Authenticated Vulnerability Scans

PCI DSS 4.0, the latest security standard release affecting companies handling card payments and cardholder data, is changing how we manage, process, and transmit financial information across industries.

As of March 31st, 2025, it’s become vital for all organizations handling cardholder data to ensure their systems and controls comply with the most recent version of the standard. One of these changes, outlined in requirement 11.3.1.2, is that firms must run internal authenticated vulnerability scans.

In short, this means anyone undertaking vulnerability scanning must have authenticated credentials and access to client systems. Authenticated scanning provides a deep, wide sweep of systems and controls, meaning it can provide valuable insights in order for you to improve security robustness, support stronger compliance, and boost operational efficiency.

In this guide, we’ll explore what authenticated vulnerability scans look like in practice – the PCI DSS requirements, and best practices for implementing.

Understanding Authenticated Vulnerability Scans

The PCI SSC with feedback from the industry introduced authenticated vulnerability scanning because it is highly effective and efficient at finding hidden system flaws – and, in practice, we happen to agree.

Historically, while widely used, unauthenticated scanning has proven less effective at detecting vulnerabilities – there just isn’t as much visibility or access.

What is an Authenticated Vulnerability Scan?

An authenticated vulnerability scan is a system security review conducted by a user with valid, credentialed access. They have, therefore, complete access to the systems and controls they are reviewing.

It is effectively a scan through a user with “sufficient access”. Credentialed users have the privilege to dive deep into user settings, permissions, system configurations, tools, and access controls and not just scan the surface.

The cost of an authenticated PCI vulnerability scans will vary depending on the scope required, the frequency, and what level of service you require.

Authenticated vs. Unauthenticated Scans: What’s the Difference?

An authenticated scan detects vulnerabilities across the whole of an infrastructure with the benefit of insider credentials and knowledge. An unauthenticated scan, meanwhile, is much more limited, providing information and access that might typically be available to outsiders.

Unauthenticated scans can find vulnerabilities, however, they typically rely on open ports and access points where there is no need to provide credentials. In the case of closed ports, or systems that have zero access beyond user credential checks, these scans cannot find vulnerabilities that could still be lurking within.

Here’s a brief analogy – let’s say you are looking for a bee that has flown into your home. With your keys, or authenticated scanning, you can open the door and look throughout your property from the inside, and help the bee escape.

Without keys – unauthenticated scanning – you can only see what’s inside through the windows. The bee could be hidden in a room or space upstairs you don’t have access to.

Ultimately, authenticated scans sweep the whole system – unauthenticated scans don’t.

PCI DSS Requirements for Authenticated Scanning

PCI DSS 4.0 requirement 11.3.1.2 demands that all companies handling cardholder data performs an authenticated vulnerability scanning and are able to provide an approved scan at least once every three months/every 90 days (or after major changes). As a VikingCloud client, for example, you’ll have access to quarterly and ad hoc scanning and reports across the year.

You should commit to both types of vulnerability scans (internal and external), and account for networks and systems where cardholder data is accessible and transmitted. Ultimately, if you are in doubt, you should scan it. We help our clients to establish scanning scope to ensure they’re completely compliant in line with PCI DSS.

When running external scans, you should also engage the support of an Approved Scanning Vendor (ASV) such as VikingCloud.

Beyond this, if scanning finds any risks that are deemed to be high or critical, you must take steps to remedy them right away.

Once these flaws are remedied, PCI DSS requires entities to re-scan their systems to ensure that they are adressed and that the scan results are approved and in-line with the PCI DSS standard.

The requirements also state that qualified professionals should be somewhat independent – meaning that, for example, the discoverer of the flaw should not be the one to remedy it.

Finally, it’s important to keep comprehensive records of any scans completed, any weaknesses found, and actions taken. Such details will help to support your activity during a PCI DSS audit.

Benefits of Authenticated Vulnerability Scans

Authenticated vulnerability scans give deep, valuable insight into systems, their configurations, and any flaws that may reside in your infrastructure. A credentialed scan allows the operator to access more settings and software, for example, that wouldn’t be accessible through an unauthenticated scan.

What’s more, authenticated scans can apply more context to potential flaws that are detected. Additional detail reduces the risk of human error and false positives, meaning operators can apply contextual analysis to each case and take better-informed action to remedy problems.

Authenticated PCI vulnerability scans can pick up hidden risks such as inactive user accounts, inappropriate permissions settings, flawed encryption processes, obsolete software or firmware, and connected systems that have gone unmanaged or without updates for some time. These scans can even assess whether or not individual users are logging in with strong enough passwords.

Industry feedback on Authenticated Scanning

VikingCloud assess hundreds of environments a year where authenticated scans are utilized as a part of the vulnerability management process.

We’ve received feedback that authenticated scans are uncovering more findings, which has increased the effort required to maintain compliance.

At the same time, organizations report that these scans have enhanced their visibility, enabling more informed prioritization and risk-based decision-making in vulnerability remediation.

Implementing Authenticated Scanning: Best Practices

During authenticated vulnerability scanning, we first recommend setting up a temporary, credentialed user that can be used by the scan engine to assess your systems – and ensuring that it purely has access to the systems or assets that you need to cover during the scan.

The scanner account should also follow general security best practices – for example, it should use a secure password and multi-factor authentication to prevent unauthorized personnel from breaking in. It is also recommended that, where possible, you restrict where your scanner account can log in and access from. For instance, you could restrict the host address or IP range for your scanner during the process.

It is good practice to disable scanner accounts automatically at the end of the process, or to delete accounts at the end of each stage, creating a new one when scanning picks back up. This reduces the risk of the account falling into the wrong hands.

It is vital to work with a reputable ASV or scanning vendor who will sign non-disclosure agreements and security contracts, so that any data and systems accessed remain safeguarded.

However, you should never hand over existing user credentials to a scanning vendor, regardless of what they sign or how reputable they appear. Always provide a temporary user that is set up for the purpose of scanning.

In some cases, it may also be more efficient to scan systems on a segmented basis, so that you can make discovery and remediation more efficient – there’s no need to wait for the entire process to complete.

To avoid all doubt, PCI SSC recommends following best practices outlined in cybersecurity frameworks such as NIST, which helps business owners fill in many gaps in both assessing security posture and remedying vulnerabilities. However, it’s wise to follow guidance from both PCI DSS and any frameworks you choose:

“While the NIST Framework identifies general security outcomes and activities, PCI DSS provides specific direction and guidance on how to meet security outcomes for payment environments. Because they are intended for different audiences and uses, they are not interchangeable, and neither one is a replacement for the other.”

PCI Security Standards Council

Conclusion

Given that we are far beyond the end of March 2025, now is the time to reassess your security posture, and the steps you take to scan for vulnerabilities, if you regularly process cardholder information.

PCI DSS has evolved to improve the way companies manage and safeguard incredibly sensitive data – and following these rules is imperative to ensure customer safety and to avoid non-compliance penalties.

Vulnerability scanning is just one piece of the broader cybersecurity analysis puzzle, and VikingCloud is on hand to help you put it all together. To learn more about how our authenticated vulnerability scans can help you keep customer data safe (and your firm free from legal and financial recourse), get in touch now for a free consultation.