6.3 - Security Vulnerabilities Identified and Addressed

PCI DSS v4.0 requirement 6.3 mandates that an organization regularly identify security vulnerabilities in its card-holder data environment and apply appropriate fixes. Vulnerabilities must be evaluated with approved scanning or testing tools, remediated within the timeframes defined by the risk level, and the actions taken must be documented and tracked for compliance verification.