When should internal and external vulnerability scans be performed per 11.2.2?

The main idea is that vulnerability scans are triggered by changes and must be performed by properly qualified personnel. PCI DSS 11.2.2 requires vulnerability scans to be done at least quarterly and also after any significant change to the cardholder data environment. This ensures that new systems, patches, or reconfigurations are checked for weaknesses as soon as they’re introduced, reducing the window attackers have to exploit them. The option emphasizing scans after a significant change and that they’re performed by qualified personnel matches this timing and the required level of competence. Internal scans should be conducted by individuals with the appropriate qualifications, while external scans must be done by an Approved Scanning Vendor. Daily scanning or waiting for a breach would miss the required proactive and authorized approach.