After significant changes, which statement best describes vulnerability scanning requirements?

After significant changes to the cardholder data environment, you must re-run vulnerability scans to verify that the changes didn’t introduce new weaknesses. Scanning isn’t a one-time step; you perform scans and then repeat them as needed to verify remediation and ensure no high‑risk vulnerabilities remain. This best reflects the ongoing, confirming nature of vulnerability management after changes. The other options miss key parts: not scanning at all leaves you blind to new risks; external-only misses internal exposures; and simply stating both internal and external after changes without the follow-up rescans doesn’t emphasize the necessary verification step.