# What is meant by “significant change” in PCI DSS? There are several PCI DSS requirements that specify performance upon a significant change in an entity’s environment. While what constitutes a significant change is highly dependent on the configuration of a given environment, each of the following activities are included under “Significant Change” in the “Description of Timeframes Used in PCI DSS Requirements” section in PCI DSS v4.0: - New hardware, software, or networking equipment added to the CDE. - Any replacement or major upgrades of hardware and software in the CDE. - Any changes in the flow or storage of account data. - Any changes to the boundary of the CDE and/or to the scope of the PCI DSS assessment. - Any changes to the underlying supporting infrastructure of the CDE (including, but not limited to, changes to directory services, time servers, logging, and monitoring). - Any changes to third party vendors/service providers (or services provided) that support the CDE or meet PCI DSS requirements on behalf of the entity. Each of these activities, at a minimum, have potential impacts on the security of an entity’s cardholder data environment (CDE), and must be considered and evaluated to determine whether a change is significant for that entity and in the context of related PCI DSS requirements. April 2023 Article Number: [1317](https://www.pcisecuritystandards.org/faq/articles/Frequently_Asked_Question/What-is-meant-by-significant-change-in-PCI-DSS/)