Written by Alex Norell

PCI DSS 4.0 has evolved the Standard’s internal vulnerability scan requirements and now calls for internal vulnerability scans to be performed via Authenticated Scanning. 

This requirement is considered best practice until March 31st, 2025 after which it must be fully implemented for an entity that is maintaining compliance with PCI DSS and if the specific control for internal vulnerability scanning applies to their environment. 

Why authenticated scans and why now? A mature vulnerability management program has always been a cornerstone for an entity that wants to maintain a cybersecurity program and/or is subject to various regulations. The standard already has controls that say that security patches with a severity of high or critical need to be applied within 30 days. The vulnerability scan is a test/control to perform a follow-up to ensure it’s done.  

What is an “unauthenticated” scan? An unauthenticat