Maintaining PCI Compliance

Maintaining PCI Compliance requires you to keep your security program up to date and perform certain activities throughout the year. If you don’t stay on top of it, you could find yourself missing a key component, such as a quarterly ASV Scan, which will result in a failing Report on Compliance (RoC) or Self Assessment Questionnaire (SAQ). In order to help you with maintaining PCI Compliance, this blog will go through the various things you need to stay on top of throughout the year.

Immediately

  • 8.1.3 – Revoke access for any terminated employees.

Daily

  • 10.6.1 – Review log files and follow up on any anomalies.

Weekly

  • 11.5 – Your file integrity monitor needs to perform critical file comparisons, and you need to follow up on any anomalies.

1 Month

  • 6.2 – Critical patches need to be deployed within a month.

Quarterly

PCI DSS has some requirements that are every 90 days, some requirements that are every three months, and some requirements that are quarterly. For the purposes of this blog, I will just include them all here under Quarterly.

  • 3.1 – A quarterly process to securely delete any data that is beyond retention requirements.
  • 8.1.4 – Remove and/or disable inactive accounts every 90 days.
  • 8.2.4 – All users are required to change passwords every 90 days.
  • 9.1.1 – Physical access logs or video recordings must be retained for 3 months.
  • 9.4.4 – Visitor logs must be retained for 3 months.
  • 10.7 – 3 months of logs must be immediately available.
  • 11.1 – A wireless survey needs to be conducted to identify any rogue access points.
  • 11.2 – An external vulnerability scan by an ASV and an internal vulnerability scan by a qualified individual need to be completed.

6 Months

  • 1.1.7 – Review firewall rule sets.
  • 11.3.4.1 – Service providers must have a segmentation test every 6 months.

Annually

  • Review and determine PCI scope.
  • QSA on-site assessment.
  • 6.5 – Secure coding training.
  • 9.5.1 – Review the security of any offsite media storage locations.
  • 9.7.1 – Conduct an inventory of all media.
  • 10.7 – Audit logs must be retained for at least a year.
  • 11.3 – External and internal penetration tests.
  • 11.3.4 – Segmentation penetration test.
  • 12.1.1 – Review and update all security policies.
  • 12.2 – Conduct a formal risk assessment.
  • 12.6 – Employees must have security awareness training upon hire, and annually thereafter. Additionally, employees are required to sign off and acknowledge that they have read the security policies.
  • 12.8.4 – Monitor the PCI compliance status of all service providers.
  • 12.10.2 – Conduct an annual test of your incident response policy and procedures.