Date | Author Andrew Gilhooley | Uncategorised

To maintain PCI DSS compliance, there are a number of tasks which must be conducted on a regular basis.

I’ve taken the liberty of collating all of these regular tasks into one table.  Where the frequency of a task is “regular” or “periodic”, I have made a recommendation based upon my experience as a QSA.  Dependant upon the environment and threat landscape, it could be justified for these indeterminate frequencies to shift in either direction.

Task Merchant Service Provider Notes
CDE Log Reviews Daily Daily Review logs of system components within the CDE, and supporting the CDE. Investigate and if necessary escalate any anomalies identified.
Anti-Malware Scans Daily Daily Daily is recommended, although PCI DSS states “periodic”. Document and justify what “periodic” is, and ensure system components are configured in alignment with that.
Anti-Malware Engine & Signature Updates Daily Daily Daily is recommended, although PCI DSS states “regularly”. Document and justify what “regular” is, and ensure system components are configured in alignment with that.
Remove or disable inactive user accounts Daily Daily No active accounts can be present on the system which have not been logged into for 90 days.
PED terminal inspections Daily Daily Daily is recommended, although PCI DSS states “regularly”. Document and justify what “regular” is, and ensure that PED terminals are inspected in alignment with that.
BAU Log Reviews Weekly Weekly Weekly is recommended, although PCI DSS states “periodic”. Document and justify what “periodic” is, and ensure BAU logs are reviewed in alignment with that.
Change Detection Mechanism (FIM) Weekly Weekly Most FIM tools operate on-access rather than conduct periodic scanning.
Patching (Security) Monthly Monthly CVSS ≥ 4.0 for internet-facing system components. CVSS ≥ 7.0 for internal system components. Anything which has been identified as “High” or “Critical” by penetration testing.
Evaluations of system components not commonly affected by malware Monthly Monthly Monthly is recommended, although PCI DSS states “periodic”. Document and justify what “periodic” is, and ensure system components are configured in alignment with that.
Patching (General) Monthly Monthly It is recommended to apply all patches rather than just security patches, although patches with no security impact can be delayed as long as the frequency is documented and justified. Be careful that patches do not impact availability.
Stored CHD Disposal (outside data retention policy) Quarterly Quarterly Any stored cardholder data which falls outside the scope of the data retention policy must be deleted and rendered forensically irretrievable.
Vulnerability Assessment: Internal Quarterly Quarterly Must be conducted by someone with operational independence.
Vulnerability Assessment: External (ASV) Quarterly Quarterly Must be conducted by a PCI ASV “Approved Scanning Vendor” in good standing with the PCI SSC. See the ASV Programme Guide for further details.
Wireless Assessment Quarterly Quarterly This can be replaced with the use of an automated Wireless monitoring tools or network access control.
Password changes Quarterly Quarterly Any passwords over 90 days old must be changed.
Review of security processes N/A Quarterly Review security processes to ensure the policies and procedures are being followed by staff. Document the results of the review.
Firewall configuration reviews Bi-Annually Bi-Annually Review firewall configurations to ensure the rule tables are appropriate for the business need.
Review of storage facilities used to store cardholder data on removable media or hardcopy. Bi-Annually Bi-Annually Bi-Annually is recommended, although PCI DSS states “periodic”. Document and justify what “periodic” is, and ensure that reviews are conducted in alignment with that.
Review of inventory of removable media or hardcopy used to store cardholder data Bi-Annually Bi-Annually Bi-Annually is recommended, although PCI DSS states “periodic”. Document and justify what “periodic” is, and ensure that reviews are conducted in alignment with that.
Network Segmentation Test Annually Bi-Annually This is a requirement where network segmentation is used to limit the scope of PCI DSS.
Penetration Test: Internal Annually Annually At least annually, or after any major change to the CDE.
Penetration Test: External Annually Annually At least annually, or after any major change to the CDE
Review and update network diagrams and flow diagrams Annually Annually At least annually, or after any major change to the CDE
Review and update Information Security Policy and supporting policies and procedures Annually Annually At least annually, or after any major change to the CDE, or after an incident response review, or after a change to the threat landscape.
Risk assessment Annually Annually At least annually, or after any major change to the CDE, or after a change to the threat landscape
Updated Attestation of Compliance “AoC” from Service Providers Annually Annually This should be conducted when the current service provider AoC expires
Training: Information Security Awareness Annually Annually At least annually, and on hire. This general security awareness training must include best practice for cardholder data handing.
Training: Secure Software Development Annually Annually At least annually for software development staff operating within the CDE.
Training: Breach Responsibilities Annually Annually At least annually for staff assigned to incident response.
Test incident response plan Annually Annually At least annually.
Staff acknowledgement of information security policies and procedures Annually Annually At least annually, and on hire.
Cryptographic Key Changes Annually Annually At least annually, or when the encryption algorithms are weakened.

Note that this table assumes a SAQ-D equivalent environment with all PCI DSS controls being in-play.  The shape of the regular tasks can change quite dramatically if the eligibility criteria for other SAQs can be met.  Talk to your friendly neighbourhood PCI DSS QSA to understand your de-scoping options.

Back to news