Frequently Asked Question

There are several PCI DSS requirements that specify performance upon a significant change in an entity's environment. While what constitutes a significant change is highly dependent on the configuration of a given environment, each of the following activities are included under "Significant Change" in the "Description of Timeframes Used in PCI DSS Requirements" section in PCI DSS v4.0:

• New hardware, software, or networking equipment added to the CDE.

• Any replacement or major upgrades of hardware and software in the CDE.

• Any changes in the flow or storage of account data.

• Any changes to the boundary of the CDE and/or to the scope of the PCI DSS assessment.

• Any changes to the underlying supporting infrastructure of the CDE (including, but not limited to, changes to directory services, time servers, logging, and monitoring).

• Any changes to third party vendors/service providers (or services provided) that support the CDE or meet PCI DSS requirements on behalf of the entity.

Each of these activities, at a minimum, have potential impacts on the security of an entity's cardholder data environment (CDE), and must be considered and evaluated to determine whether a change is significant for that entity and in the context of related PCI DSS requirements.