Understanding Significant Changes Under PCI DSS

For PCI-certified organizations, Significant Changes are a common source of confusion, both what is considered a Significant Change and what is required by PCI when one has taken place. In the PCI DSS 4.0, a Significant Change is defined as:

There are certain requirements for which performance is specified upon a significant change in an entity’s environment. While what constitutes a significant change is highly dependent on the configuration of a given environment, each of the following activities, at a minimum, has potential impacts on the security of the CDE and must be considered as a significant change in the context of related PCI DSS requirements:

New hardware, software, or networking equipment added to the CDE .

Any replacement or major upgrades of hardware and software in the CDE.

Any changes in the flow or storage of account data [PAN, CHD, CVV2, SAD].

Any changes to the boundary of the CDE and/or to the scope of the PCI DSS assessment.

Any changes to the underlying supporting infrastructure of the CDE (including, but not limited to, changes to directory services, time servers, logging, and monitoring).

Any changes to third-party vendors/service providers (or services provided) that support the CDE or meet PCI DSS requirements on behalf of the entity.

In summary, a Significant Change is triggered when people, processes, networks, or technologies are altered in a way that could affect the security of Account Data which encompasses both Credit Card Data (CHD) and Sensitive Authentication Data (SAD). Significant Changes are not routine maintenance updates or small tweaks done to in-scope systems, people, or processes, but are reserved for major work efforts or changes in the flow of Account Data, architecture, or implementation changes done to in-scope systems, people, or processes.

Examples of a Significant Change event may include, but are not limited to:

• Adding new equipment/data flow from a merger or acquisition – change in scope.
• Scaling horizontally, for example, adding capacity to an already deployed system when the system is not deployed as part of a cloud-based auto-scaling group or using some type of automated software Configuration Management tool like Puppet, Chief, or Terraform.
• Moving physical colocation or racks.
• Moving from on-prem to cloud (lift and shift) or vice versa.
• Custom software changes that affect Account Data or the security of the in-scope environment.
• Reconfiguring the security controls on a domain controller or other systems in shared services networks that are connected to the CDE (CAT-2) and that affect the security of in-scope systems. 
• Adding new functional roles and servers into the network segments of the CDE or systems directly storing, processing, or transmitting account data (CAT-1).
• Adding a new storage array into shared services networks that are connected to the CDE (CAT-2) and that affect the security of in-scope systems.
• Changing network switches or firewalls used to define in-scope segments and access control.
• Change in IT vendors that maintain your in-scope systems.
• Creating a mirrored DR environment (hot or cold).

Required Actions

When a Significant Change occurs reference the change controls to see the actions required. Common requirements include identifying new data storage locations, updating documentation, and updating network and data flow diagrams. Changes such as adding new systems or updating firewall rules will require you to perform internal and external vulnerability scans and penetration tests. CompliancePoint is a QSAC, we have a knowledgeable team that can guide your organization through Significant Change requirements. 

All evidence must be collected before or during the change and saved for your next assessment. In the subsequent assessment, you will need to provide the QSA with evidence showing that all relevant PCI tasks were completed. The QSA will need this documentation because the PCI DSS Report on Compliance (RoC) contains specific documentation requirements for Significant Change evidence to be reviewed and sighted.  

Requirement Specifics

Use the chart below as a guide to understanding what is required for each Significant Change.

Control Reference	Requirement Action	PCI DSS 3.2.1 Control	PCI DSS 4.0 Control
Changes to all system components are managed securely.	Follow the change control process, evidence of change tickets is needed to describe the change required for the next audit.	6.4	6.5
Analyze significant changes to ensure all appropriate PCI DSS controls are applied to any systems or networks added or changed within the in-scope environment.	Update Network and Data Flow Diagrams and change the legend to show the updated date. New and updated systems need to be protected with the required controls. Document all account data storage and incorporate into data retention policies and procedures. New systems must be included in quarterly vulnerability scans.	6.4.6	6.5.2
After a significant change, scan the environment to ensure its security was not compromised.	New systems need to have internal and external vulnerability scans completed using authenticated scanning methods. All high and critical issues must be patched before going online.  All medium issues must be patched within 90 days. It is recommended that vulnerabilities be patched before release.	11.2	11.3.1.3
Internal and external penetration testing is performed after any significant infrastructure or application upgrade or change.	Internal and external infrastructure penetration testing and web application testing must be completed along with remediation for new systems. There is no requirement to scale horizontally if using the same method that was reviewed and approved in the previous assessment. Segmentation testing is needed if adding a new sub-net, VLAN, or device that affects the security of network access.	11.3	11.4.2 11.4.3 11.4.6
Each PCI DSS requirement that provides flexibility for how frequently it is performed is supported by a targeted and documented risk analysis.	Adjust task frequency using a risk-based approach to determine the appropriate task intervals.	12.2	12.3x
PCI DSS scope is documented and confirmed upon a significant change to the in-scope environment.	The required scoping validations include: Identifying all data flows for the various payment stages Updating all data-flow diagramsIdentifying all locations where account data is stored, processed, and transmitted Identifying all CDE system components Identifying all segmentation controls in use and the environment(s) from which the CDE is segmented Identifying all connections from third-party entities with access to the CDE	Various	12.5.2

At CompliancePoint, our Qualified Security Assessors have decades of experience as practitioners and auditors. Please reach out to us at connect@compliancepoint.com if you have any questions about PCI Significant Changes or how CompliancePoint can assist with your organization’s PCI DSS Certification.