In this blog, we’re going to do a quick review of PCI DSS Requirement 12.11 and provide some strategies for service providers who need to maintain PCI compliance. As you may have guessed from context clues in the first sentence of this blog, this requirement only applies to service providers and does not need to be addressed by merchants. So if you are part of a merchant organization, feel free to keep reading for your own education or go check out some of our other PCI compliance tips here or here.
What does Requirement 12.11 cover?
This requirement was one of the new ones introduced in PCI DSS v3.2 intended to help service providers ensure they are maintaining PCI compliance throughout the year in between assessments. The requirement mandates service providers conduct checks on at least a quarterly basis to confirm employees are following the policies and procedures that are in place for at least 5 different areas of compliance:
- Daily log reviews
- Firewall rule-set reviews
- Applying configuration standards to new systems
- Responding to security alerts
- Change management processes
Tips for Complying with this Requirement
While it may seem very straight forward, many organizations run into issues with this requirement. First, you’ll want to make sure you have some kind of calendar event or reminder to ensure you are conducting these checks on a quarterly basis. This is something that it seems is easy to forget because this is purely related to compliance, and it may seem to your security/compliance team that these tasks are being done on a regular basis, so why check?
Beyond just making sure these checks are occurring, your team needs a detailed procedure that covers what they are doing when they conduct these quarterly due diligence checks. How are you checking that log reviews are occurring? How are you verifying that security alerts are being responded to? This procedure should be detailed enough so that anyone on the IT, security, or compliance teams can follow it and maintain compliance, avoiding a single point of failure situation if someone is out sick or there is staff turnover.
Finally, besides the calendar reminder to actually conduct the reminder and the procedure to follow when performing the checks, the other important piece is the evidence that you actually performed the checks (per Requirement 12.11.1)! This is the number one most forgotten piece of the puzzle. Create a memo, ticket, or some other kind of records that works for your organization. The record should include, at a minimum, who performed the checks, the date the checks were performed, signed approval by the party responsible for PCI compliance in your organization, and the evidence collected that the listed control areas are being met and procedures are being followed appropriately. This can be screenshots, a narrative describing the checks performed, details of what was observed, etc. There just needs to be substance to give some level of confidence that these checks are being done.
Requirement 12.11 is pretty simple and straightforward, but it is easy to miss, forget, or have lacking documentation during the course of a year. Many organizations may find that it is hard to keep track of these checks when things get busy, so reminders are important. Similarly, it is critical that you have procedures you follow for these checks and evidence supporting that the checks were performed as stated. An external auditor isn’t going to take your word for it, so like all PCI requirements, documented evidence is crucial. As always if you have any questions or want to get clarification on any PCI requirement and how it applies to you, reach out to us!