PCI DSS v3.2.1 Regular Tasks

To maintain PCI DSS compliance, there are a number of tasks which must be conducted on a regular basis.

I’ve taken the liberty of collating all of these regular tasks into one table.  Where the frequency of a task is “regular” or “periodic”, I have made a recommendation based upon my experience as a QSA.  Dependant upon the environment and threat landscape, it could be justified for these indeterminate frequencies to shift in either direction.

Note that this table assumes a SAQ-D equivalent environment with all PCI DSS controls being in-play.  The shape of the regular tasks can change quite dramatically if the eligibility criteria for other SAQs can be met.  Talk to your friendly neighbourhood PCI DSS QSA to understand your de-scoping options.