By: Dominick Vitolo, VP of Security Services, MegaplanIT
As a Certified Qualified Security Assessor (QSA) company and a trusted Rapid7 partner, MegaplanIT is committed to guiding organizations through the complexities of compliance and security standards.
PCI DSS version 4.0 is a significant update on the horizon and is set to take effect March 31, 2025. One of the key changes around vulnerability scanning within this update is requirement 11.3.1.2. This new requirement mandates authenticated internal vulnerability scans.
Here, we’ll shed light on why organizations should immediately transition to authenticated vulnerability scanning and how Rapid7’s InsightVM can facilitate this essential change.
Under PCI DSS 4.0, requirement 11.3.1.2 introduces the need for authenticated internal vulnerability scans, marking a departure from the widely practiced unauthenticated scans.
Currently, many organizations rely on unauthenticated scanning which, while useful, offers limited visibility into system vulnerabilities. In previous versions the PCI DSS never specifically called out the need for authenticated vulnerability scanning internally, which led the requirement subject to interpretation.
This established procedure from retirement 11.3.1 remains applicable and is complemented by the new requirement mandating authenticated internal vulnerability scans.
InsightVM’s capability to perform scans with provided credentials aligns perfectly with the authenticated scanning requirements of PCI DSS 4.0. Scanning with credentials allows you to gather information about your network and assets that you could not otherwise access. You can inspect assets for a wider range of vulnerabilities or security policy violations.
Additionally, authenticated scans can check for software applications and packages as well as verify patches. When you scan a site with credentials, target assets in that site authenticate the Scan Engine as they would an authorized user.
Rapid7’s universal Insight Agent gathers extensive vulnerability data, supporting the authenticated scanning process effectively.
Transitioning to authenticated internal vulnerability scanning in order to meet the control requirements of PCI DSS 4.0 is a crucial step towards strengthening your organization’s security posture. As a certified QSA, MegaplanIT strongly recommends that organizations begin this shift now.
Tools like Rapid7’s InsightVM are pivotal in this journey, offering a comprehensive, scalable, and user-friendly solution. By embracing this change today, your organization will not only be compliant, but also significantly more secure against ever-evolving cyber threats.