The Payment Card Industry Data Security Standard (PCI DSS) presents many compliance challenges, especially for large, complex organizations. Among these challenges are various periodic (e.g., monthly, quarterly, semi-annually) control requirements found throughout the standard. Achieving and maintaining PCI compliance requires a continuous management approach to successfully execute these control requirements and then demonstrate execution during the annual assessment. Over the course of a year, which is the typical assessment period, it is not uncommon for organizations to overlook execution of one or more of these requirements. This could necessitate an extension to the assessment period to make up for the overlooked task or, at the very worst, could result a non-compliant assessment. Execution of these periodic requirements is often overlooked due to the departure of assigned personnel or other organizational factors and are not attributable to mere negligence. Regardless, the PCI DSS requires these periodic tasks to be executed according to the prescribed schedule and omission of one or more instances is cause for an assessor to find the entity non-compliant.

Rather than risk omission of a periodic control requirement, it is essential that entities pro-actively monitor these requirements for completion. First and foremost, ownership of each control must be formally assigned to a responsible individual or team. Second, resources must be implemented to remind owners to execute controls, record the results of execution, and facilitate management oversight. Commonly leveraged resources range from simple calendar reminders to more sophisticated governance, risk, and compliance (GRC) application suites. Entities must take responsibility for ensuring these tasks are successfully executed as there may be few, if any, opportunities to demonstrate execution after the period has passed.

Following is a summary of periodic control requirements found in PCI DSS version 3.2.1, along with some helpful guidance for executing and evidencing each requirement for the assessment. Depending on an entity’s scope of compliance and associated reporting obligations, some requirements may not be applicable. Entities are encouraged to contact their acquiring bank and consult with a PCI Qualified Security Assessor (QSA) to confirm their reporting and attestation obligations.

Daily Control Requirements

Requirement 10.6.1: Perform Log Review

  • This may be satisfied via manual or automated review methods.
  • Prescribed security event types must be reviewed for all cardholder data environment (CDE) system components.
  • Logs for servers and system components that perform security functions must also be reviewed.

Weekly Control Requirements

Requirement 11.5: Perform Critical File Comparisons

  • This may be satisfied via change detection mechanisms such as file integrity monitoring (FIM) software.
  • Comparisons must be executed for all CDE systems.
  • Must facilitate identification of unauthorized modification (including changes, additions and deletions) of critical system files, configuration files, or content files.

Monthly Control Requirements

Requirement 6.2: Install Critical Security Patches

  • This must be executed for all CDE system components and software applications.
  • Entities must have a formal vulnerability management program in place to define and identify critical security vulnerabilities.

Quarterly Control Requirements

Requirement 3.1: Identify and Securely Delete Stored Cardholder Data (CHD)

  • Entities must first define a CHD retention period. This is often accomplished through a data classification policy.
  • Entities then must review data storage repositories to ensure stored CHD does not exceed the defined retention period.
  • A secure deletion mechanism must be utilized to ensure data is not recoverable.

Requirement 8.1.4: Remove/Disable Inactive User Accounts At Least Every 90 Days

  • This must be executed for all account directories, whether internal or external, used to control access to the CDE.
  • This may be accomplished via automated review and disabling mechanisms.

Requirement 11.1: Test for the Presence of Wireless Access Points

  • Manual or automated mechanisms may be utilized to detect and identify all authorized and unauthorized wireless access points.
  • This requirement applies whether any wireless networks are utilized in the CDE and/or are in scope for compliance.

Requirement 11.2: Perform Internal and External Network Vulnerability Scans

  • All CDE systems must be subject to vulnerability scans.
  • For external ASV scans, vulnerabilities must be remediated and rescanned until a passing scan is achieved for each quarter.
  • Passing ASV reports must be dated no more than 90 days apart.
  • Scan reports, not raw scan results, must be produced for each quarter’s internal vulnerability scans.

Requirement 12.11: (Service Providers Only) Perform Reviews to Confirm Personnel are Following Security Policies and Operational Procedures

  • This requirement does not supersede other periodic requirements, rather is intended as an additional requirement for oversight of the following processes:
    • Daily log reviews
    • Firewall rule-set reviews
    • Applying configuration standards to new systems
    • Responding to security alerts
    • Change management processes

Requirement 12.11.1: (Service Providers Only) Maintain Documentation of Quarterly Review Process

  • Entities should record execution of oversight activities separately from the activities themselves.
  • Must include review and sign-off of results by personnel assigned responsibility for the PCI DSS compliance program.

Semi-annual Control Requirements

Requirement 1.1.7: Review Firewall and Router Rule Sets

  • Must include review of rule sets for all CDE firewalls and routers.
  • Records should include results of the review and any resulting remediation activities.

Requirement 11.3.4.1: (Service Providers Only) Test Segmentation Controls

  • Must be performed if segmentation is employed to isolate the CDE from other networks.
  • Must also be performed after any changes to segmentation controls/methods.
  • This requirement does not supersede annual penetration testing requirements.

Annual Control Requirements

Scope Identification & Validation: As Noted on Page 10 of PCI DSS v.3.2.1

  • “At least annually and prior to the annual assessment, the assessed entity should confirm the accuracy of their PCI DSS scope by identifying all locations and flows of cardholder data, and identify all systems that are connected to, or if compromised, could impact the CDE (e.g. authentication servers) to ensure they are included in the PCI DSS scope.”
  • The assessor will validate the defined scope as part of the assessment.

Requirement 6.5: Development Training

  • Development personnel must be trained in up-to-date secure coding techniques, including how to avoid common coding vulnerabilities.
  • Training may be provided via internal or external programs.
  • Training records, preferably certificates of completion, should be retained.

Requirement 6.6: Review Public-Facing Web Applications

  • This must be conducted against all public-facing web applications utilized for card payment activities.
  • Either manual or automated application vulnerability security assessment tools or methods may be used.
  • This requirement does not apply if Web Application Firewalls are utilized for continual monitoring.

Requirement 9.5.1: Review Security of Media Backup Location

  • This only applies to the storage of CHD (in any media format) at off-site facilities.
  • In person reviews, though most effective, are not prescribed.

Requirement 9.7.1: Properly Maintain Inventory Logs of All Media and Conduct Media Inventories

  • This only applies to the storage of CHD (in any media format).
  • The results of inventory review should be recorded and provided to the assessor.

Requirement 11.3: Perform External and Internal Penetration Testing

  • Testing must be performed in accordance with documented methodology.
  • If applicable, internal penetration testers must be able to demonstrate qualifications such as through education, training, and/or certification records.
  • Testing records must demonstrate follow-up testing to validate correction of initial findings.

Requirement 11.3.4: Perform Segmentation Validation Testing

  • Must be performed if segmentation is employed to isolate the CDE from other networks.
  • Must also be performed after any changes to segmentation controls/methods.

Requirement 12.1.1: Review and Update the Security Policy

  • This may be accomplished by one-time or ongoing review of CDE policies.
  • Records should include results of review and, ideally, be recorded in the body of each policy.

Requirement 12.2: Perform a Risk Assessment

  • This must be a formal review of organizational risks including those that impact the CDE.
  • The PCI DSS assessment itself does not qualify as a risk assessment.

Requirement 12.6: Ensure Personnel Attend Security Awareness Training

  • Training may be provided via internal or external programs.
  • Entities must be able to provide records of successful completion by all CDE personnel.

Requirement 12.6.2: Personnel Must Acknowledge Security Policies

  • Acknowledgements may be solicited as part of annual training or separately.
  • Acknowledgements may be obtained electronically or via signature.

Requirement 12.8.4: Maintain a Program to Monitor Service Providers’ PCI DSS Compliance Status

  • This applies only to service providers with whom cardholder data is shared, or that could affect the security of cardholder data.
  • Entities should review service provider attestations for applicability, completeness, and validity.

Requirement 12.10.2: Test the Incident Response Plan

  • This should be a formal testing activity such as an active simulation or tabletop exercise.
  • Entities should be able to provide testing records to the assessor.

Miscellaneous Periodic Requirements

Several requirements include stipulations for periodic execution. In each case a period is not prescribed, however entities should define these periods in policies and procedures and be able to demonstrate execution accordingly.

Requirement 3.6.4: Encryption Key Changes

  • Entities should define a cryptoperiod for changing keys used to encrypt CHD.
  • Policies should also mandate changing keys in the event of a suspected compromise.

Requirement 5.1.2: Evaluation of Evolving Malware Threats

  • Entities must review the threat landscape to determine whether antivirus software should be installed on any non-Windows systems utilized in the CDE.
  • Records of these reviews should be available for the assessor.

Requirement 5.2: Antivirus Scans

  • Antivirus software must be configured to perform regular scans.
  • Scans should ideally be full system scans, not just targeted file scans.

Requirement 9.8: Media Destruction

  • This requirement applies to all media formats where CHD is stored.
  • Destruction records should be available for the assessor

Requirement 9.9.2: Payment Device Tamper Inspections

  • Inspections should ideally be conducted by responsible personnel or trusted support vendors.
  • Personnel who are assigned inspection duties must be subject to training.
  • Inspection records should be available for the assessor.

Requirement 12.10.4: Security Breach Response Training

  • Incident response personnel must be trained in up-to-date breach response techniques, including incident analysis and forensics.
  • Training may be provided via internal or external programs.
  • Training records, preferably certificates of completion, should be retained.

Providing Necessary Evidence

Active management of these periodic control requirements can eliminate situations where an organization is unprepared to demonstrate compliance during an assessment. Each of the activities listed above, as applicable to the entity and the CDE, will be reviewed by the assessor during a PCI assessment. All organizations experience employee turnover and, unfortunately, these departures can negatively impact the continuity of security operations and compliance programs. However, entities must be able to demonstrate that controls have been maintained and operational throughout the assessment period and allow the assessor to validate the effectiveness of the controls. Additionally, although control periods and objectives are defined in most cases, there may be more than one way to satisfy the requirement. An experienced and knowledgeable assessor can review control strategies and tactics as they are being implemented to validate that both the intent of the requirement and periodic execution obligations are satisfied.

Whether you’re looking to strengthen your entire network security program or your PCI compliance program specifically, our team at LBMC Information Security can help. Feel free to check out our library of resources and podcasts, which provide specific insights you can use to enhance every area of cybersecurity. Connect with our team to learn more about how we can help develop an effective PCI compliance program.

Reference: Payment Card Industry, Security Standards Council. Report on Compliance, v3.2.1. https://www.pcisecuritystandards.org/document_library.