How Much Effort Does CMMC Preparation Require? Check out our newest Blog Read Now

Dark teal and black gradient

Blog

PCI

PCI DSS v4.0.1 Vulnerability Scanning: Can you Rescore without CVSS? 

April 14, 2026

By Eric Sampson

Organizations navigating PCI DSS compliance often assume that CVSS (Common Vulnerability Scoring System) is a mandatory element of internal vulnerability rescoring. That idea is often presumed when security teams want to apply a risk‑based approach or adjust severity rankings to better reflect vulnerability risk in their environment. 

Interestingly, PCI DSS v4.0.1 does not explicitly mandate the use of CVSS for internal vulnerability scanning or internal rescoring, even though it’s commonly used and widely supported by scanning tools. The standard provides room for alternative approaches, including entity-defined risk classification methods that evaluate vulnerabilities and assign risk ratings based on the organization’s environment and risk-assessment strategy. 

So, can you rescore vulnerabilities without CVSS under PCI DSS v4.0.1? 

Short answer: Yes. 

What PCI DSS v4.0.1 expects is a consistent, objective, and justifiable approach to evaluating vulnerability risk—one that reflects the organization’s environment and supports risk‑based remediation decisions. 

What PCI DSS v4.0.1 Actually Requires 

Internal vulnerability scanning is addressed under Requirement 11.3.1. The intent of this requirement is not to enforce a specific scoring methodology, but to ensure organizations are actively identifying, prioritizing, and remediating vulnerabilities in a risk-aware manner. 

From a practical standpoint, organizations need to: 

  • Perform internal vulnerability scans at least quarterly 
  • Perform scans after significant changes to the environment 
  • Use qualified personnel and tools to conduct scans 
  • Identify vulnerabilities and assess their risk to the environment 
  • Remediate vulnerabilities in a timely manner 
  • Conduct rescans to verify remediation 

The important takeaway is that PCI DSS expects a risk-based approach. Vulnerabilities need to be evaluated, prioritized, and remediated based on their potential impact on the cardholder data environment. 

PCI DSS does not require that this risk be expressed using CVSS. 

What PCI DSS v4.0.1 Does Not Require 

PCI DSS v4.0.1 leaves flexibility in how organizations assess vulnerability risk. This is where many misconceptions arise. 

For internal vulnerability scanning, PCI DSS v4.0.1 does not explicitly require organizations to: 

  • Use CVSS as the sole scoring methodology 
  • Follow a specific numeric scoring scale 
  • Accept scanner-assigned severity ratings without applying organizational context 
  • Avoid rescoring or adjusting severity based on environmental context 

This flexibility exists because risk is not one-size-fits-all. A vulnerability that is critical in one environment may be significantly less impactful in another due to factors like segmentation, exploitability, or compensating controls. 

Why CVSS Is Common but Not Mandatory 

CVSS is widely used because it provides a standardized way to communicate vulnerability severity. Most commercial scanning tools rely on it by default, and many security teams are familiar with CVSS scoring ranges. 

However, CVSS is a general-purpose scoring framework. In practice, it does not always capture the full context of a vulnerability within a specific organization. For example, CVSS scoring alone may not fully reflect environmental factors such as: 

  • Whether the asset is internet-facing or otherwise exposed within the organization’s network architecture 
  • The presence of compensating controls 
  • The sensitivity of the data involved 
  • Real-world exploitability in relation to the organization’s segmentation, access paths, and environment-specific context. 

PCI DSS v4.0.1 allows organizations to go beyond CVSS provided they can demonstrate that their approach to evaluating and addressing internal vulnerability scan findings reasonably manages risk to cardholder data security and the in-scopeenvironment. 

How Internal Vulnerability Scanning Requirements Relate to CVSS 

A key point that is often overlooked is that the internal vulnerability scanning requirements in PCI DSS do not mention CVSS at all. 

When evaluating compliance, assessors are looking for evidence that: 

  • Vulnerabilities are being identified consistently 
  • Risk is evaluated in a structured, repeatable process 
  • Remediation decisions are justified and documented 
  • High-risk issues are prioritized and addressed 

In other words, the focus is on process and outcomes rather than the scoring label itself. 

Practical Guidance for Organizations  

If you are considering using a different scoring method for rescoring vulnerabilities, the goal should be to make your approach more practical and more defensible, not more complicated. 

A few practical guidelines can help: 

Define a clear methodology 
Document how vulnerabilities are evaluated. CVSS can be used as an input, but your methodology should also incorporate environmental and business contexts. 

Incorporate environmental factors 
Adjust severity based on exposure, asset criticality, and existing controls. This is often where internal rescoring adds the most value. 

Be consistent 
Apply the same methodology across scans and over time. Inconsistency is more likely to raise assessor concerns than the choice of scoring model. 

Document your decisions 
If a vulnerability is downgraded or deprioritized, clearly explain why. Documentation is essential for audit defensibility. 

Align remediation to risk 
Ensure vulnerabilities deemed high risk are remediated promptly, regardless of whether that rating came from CVSS or your internal model. 

Validate with your assessor 
When in doubt, engage your QSA early. Alignment ahead of the assessment helps prevent surprises later. 

Bottom Line 

PCI DSS v4.0.1 does not require CVSS for internal vulnerability scanning or rescoring. What it requires is a risk-based approach that is consistent, documented, and effective at reducing exposure. 

Organizations have the flexibility to tailor their scoring methodology to better reflect their environment, as long as they can clearly demonstrate how vulnerabilities are evaluated and why remediation decisions are made. 

For many teams, the most effective approach is not abandoning CVSS entirely, but using it as a baseline and building a context-driven risk model on top of it. 

Quick Overview: 

  • Internal scans: CVSS is optional, though commonly used 
  • External scans: CVSS is required, per the ASV Program Guide 
  • PCI DSS v4.0.1: CVSS is mentioned in the glossary, for external scans, and as a consideration for Requirement 6.3.1, with no internal‑scan obligation 

Tevora Can Help  

Tevora’s experienced experts can answer any questions about PCI and would welcome the opportunity to help you meet compliance standards. Just give us a call at (833) 292-1609 or email us at [email protected]

Back to Resource Center

Explore More In-Depth PCI Resources

View Our Resources