Frequently Asked Question

What is meant by “significant change” in PCI DSS?
There are several PCI DSS requirements that specify performance upon a significant change in an entity’s environment. While what constitutes a significant change is highly dependent on the configuration of a given environment, each of the following activities are included under “Significant Change” in the “Description of Timeframes Used in PCI DSS Requirements” section in PCI DSS v4.0:
-
New hardware, software, or networking equipment added to the CDE.
-
Any replacement or major upgrades of hardware and software in the CDE.
-
Any changes in the flow or storage of account data.
-
Any changes to the boundary of the CDE and/or to the scope of the PCI DSS assessment.
-
Any changes to the underlying supporting infrastructure of the CDE (including, but not limited to, changes to directory services, time servers, logging, and monitoring).
-
Any changes to third party vendors/service providers (or services provided) that support the CDE or meet PCI DSS requirements on behalf of the entity.
Each of these activities, at a minimum, have potential impacts on the security of an entity’s cardholder data environment (CDE), and must be considered and evaluated to determine whether a change is significant for that entity and in the context of related PCI DSS requirements.