The PCI council’s vulnerability risk ranking guidance changes the game for compliance teams

The PCI Security Standards Council released new guidance that’s having a big effect on the compliance community – and for good reason. Their latest infographic and FAQ focus on two critical areas that have long been the factor of a successful audit: identifying and risk-ranking vulnerabilities, and resolving or addressing vulnerabilities in PCI DSS Requirements 6 and 11.

While the guidance itself might seem straightforward on the surface, it represents a fundamental shift in how organizations need to approach vulnerability management – and it’s exactly why modern compliance automation and data enrichment platforms like Thoropass are so essential.

The Reality Check: Risk Ranking Isn’t Just About CVSS Scores Anymore

The PCI SSC emphasizes that classifying risks (critical, high, medium, or low) allows organizations to identify, prioritize, and address the highest risk items more quickly, reducing the likelihood that vulnerabilities posing the greatest risk will be exploited. But here’s where many organizations get tripped up.

Many organizations base their entire risk ranking program on CVSS scores, essentially assigning risk rankings to certain CVSS score ranges. While CVSS is a valuable tool, this approach can lead to problems: some vulnerabilities aren’t assigned CVSS scores or represented properly by the score due to underlying or pre-existing parameters. This is particularly problematic for vulnerabilities in bespoke or custom software that don’t have assigned CVE numbers, as well as recurring vulnerabilities that have outdated CVE scores that fail to represent their actual risk and danger to enterprise systems.

Even more challenging, a simple CVSS-based system doesn’t take the unique circumstances of each organization into account. Organizations may spend valuable time  and resources focusing on what is thought to be a disruptive patch for a vulnerability while it may not be serious in their specific environment.

What This Means for Your Compliance Program

The PCI Council’s new guidance isn’t just theoretical – it has immediate, practical implications:

1. Evidence-Based Risk Rankings Are Critical

The guidance specifically recommends that the “process should include multiple sources of vulnerability information.”  This means you can’t just create a vulnerability classification system and call it a day based on a single source of evidence. You need to document your decision-making process, justify your risk rankings, and maintain audit trails that demonstrate how you arrived at your conclusions based on “evidence-based-data.”

2. Requirements 6 and 11 Are More Connected Than Ever

Regardless of which method is used to assign risk rankings to vulnerabilities, it must include data-backed ‘high’ and ‘critical’ levels at a minimum, as these are referenced in many PCI DSS requirements. This interconnectedness means that weakness in your vulnerability risk ranking process can cascade across multiple compliance requirements and how you triage gaps across your enterprise.

3. Manual Processes Are No Longer Viable

When you’re dealing with the volume of vulnerabilities that modern organizations face, manual risk ranking becomes not just inefficient, but actively dangerous. The PCI Council’s emphasis on evidence-based rankings means you need systems that can automatically collect, analyze, and document your vulnerability management decisions backed with supporting evidence.

Where Traditional Approaches Fall Short

I’ve seen countless organizations struggle with PCI DSS vulnerability management because they’re trying to solve a 2025 problem with 2015 tools. Here’s what typically goes wrong:

Spreadsheet Overload: Organizations track vulnerabilities in spreadsheets or some other form of static process, manually updating CVSS scores and risk rankings. This approach breaks down quickly as vulnerabilities accumulate and change while time pressures mount.

Siloed Systems: Vulnerability scanning tools operate separately from compliance tracking systems, creating gaps where critical vulnerabilities fall through the cracks or aren’t properly documented for audit purposes.

One-Size-Fits-All Risk Rankings: Without considering their specific environment or vulnerability characteristics, organizations apply generic risk rankings that don’t reflect their actual risk exposure.

Audit Scrambles: When it’s time for a PCI assessment, teams spend weeks trying to reconstruct their vulnerability management processes and provide the evidence-based documentation that auditors require.

The Thoropass Advantage: Purpose-Built for Modern PCI Compliance

This is exactly why we built Thoropass with integrated vulnerability management and audit capabilities. When the PCI Council and other regulatory agencies release guidance like this, we don’t see it as a compliance burden – we see it as validation of the approach we’ve been advocating for years.

Here’s how Thoropass addresses the challenges highlighted in the guidance:

Automated Evidence Collection

Our platform automatically integrates with your existing vulnerability and exposure management scanning tools and security systems, collecting the evidence you need for risk ranking decisions without manual intervention. No more scrambling to piece together documentation when an auditor asks how you classified a specific vulnerability.

Contextual Risk Ranking

Rather than relying solely on CVSS scores, Thoropass helps you implement risk ranking systems that consider your specific environment, asset criticality, and business context. The platform documents these decisions automatically, creating the evidence trail that the requirements and guidance requires.

Unified Compliance View

Because Thoropass combines compliance automation with actual audit capabilities, your vulnerability management processes are designed from the ground up to meet auditor expectations. There’s no gap between what you’re tracking and what your auditor needs to see.

Real-Time Audit Readiness

With First Pass AI and continuous monitoring, you can identify potential compliance gaps before they become audit findings. The platform helps you understand whether your evidence will meet auditor requirements – before the auditor even sees it.

The Bottom Line: Maintaining Compliance has become More Complex and requires more proactive rigor

The PCI Council’s vulnerability risk ranking guidance might seem like a small update, but it represents a broader trend toward more rigorous, evidence-based compliance programs. Organizations that try to meet these evolving requirements with manual processes and disconnected tools are setting themselves up for security risks, audit failures and compliance gaps.

The question isn’t whether you need better vulnerability management processes – the PCI advice  has made that clear. The question is whether you’ll invest in a platform that’s designed to meet these requirements seamlessly, or continue struggling with point solutions that leave you scrambling during every audit cycle.

At Thoropass, we’ve seen firsthand how the right platform can transform a PCI DSS assessment from a slow, manual exercise into an ongoing proactive competitive advantage. When your vulnerability management processes are automated, evidence-based, and audit-ready from day one, you’re not just meeting today’s requirements – you’re prepared for whatever additional requirement guidance or assessment changes that the PCI SSC releases next.

Ready to see how audit-ready compliance can transform your PCI program? Learn more about Thoropass’ integrated approach to compliance automation and audit at thoropass.com.