Rescans should verify removal according to which requirement's ranking?

Rescans are part of how you close the loop on vulnerability remediation. After fixes are applied, a rescan checks that those vulnerabilities are actually gone and that the remediation holds up in the live environment. Because not all vulnerabilities carry the same risk, the process is driven by a risk-based ranking: higher‑risk issues are addressed first, then medium, then lower. So the rescan should verify that removals were performed in line with that ranking, confirming that the most dangerous items are resolved before moving on to less critical ones. If a high‑risk item still shows up on a rescan, it indicates the remediation wasn’t effective or complete and needs to be redone. This approach ensures the security posture improves where it matters most for protecting cardholder data.