Payment Card Industry (PCI) – Recurring Requirements Require Attention!

There are certain items contained within the 12 PCI requirements that have to be performed based on defined frequencies. In my experience, companies sometimes struggle with adhering to some if not all of these items. There are a number of reasons that this might happen, whether it’s related to employee turnover, unfamiliarity with the items, or just plain neglect. I felt inclined to offer some suggestions to help the process.

The first recommendation is for the responsible person(s) to familiarize themselves with the frequency-defined requirements. Searching through the PCI Report on Compliance template, located at: https://www.pcisecuritystandards.org/document_library, for words such as ‘day,’ ‘daily,’ ‘week,’ ‘month,’ ‘quarter,’ ‘annual,’ ‘frequency,’ and ’year’ should find most if not all of the items. Keep in mind that this will uncover those frequencies defined by the PCI Council, however, there will be other frequencies defined by your company’s internal policies (e.g. how often a company inspects their Point of Sale (POS) terminals for tampering).

Another recommendation would be to have multiple employees assigned to review compliance, ensuring the tasks are performed based on the defined frequency. If it’s not feasible to assign multiple employees, at least assign a primary and a backup. This way, if a person is on vacation or leaves the company, the alternate still has a chance to execute the steps and prevent the risk of non-compliance.

A final recommendation is to set up some kind of recurring notification alert prior to the frequency deadline. The person(s) responsible for PCI compliance won’t necessarily need a robust system for notifications such as ticketing systems (e.g. Jira, ServiceNow) or GRC tools. The responsible person(s) can simply set up email calendar reminders to ensure the checks are performed. It wouldn’t hurt to set up a backup reminder, sort of like a snooze button on an alarm clock – we all can get busy and sometimes miss reminders.

Below is a list of some items with defined frequencies. Please note this is not an all-inclusive list and that there are additional requirements for Service Providers:

Frequency Requirement Tasks to Perform
Daily 10.6.1 Daily log reviews of critical systems.
Weekly 11.5 Critical file comparisons (e.g. File Integrity Monitoring).
Monthly 6.2 Install critical patches
Quarterly 11.1 Test for presence of wireless access points.
Quarterly 11.2 Run internal and external vulnerability scans.
Quarterly 11.2.2 Perform external vulnerability scans via an Approved Scanning Vendor (ASV).
Every three (3) months 8.1a Observe and review inactive user accounts.
Every three (3) months 8.2.4 Change user password/passphrases at least once every 90 days.
Every six (6) months 1.1.7 Review firewall rulesets (if applicable).
Annually 6.5a Train developers on secure coding practices.
Annually 11.3.1 and 11.3.2 Perform an internal and external penetration tests (note: Service Providers must perform tests every 6 months).
Annually 12.1.1 Review the company security policy.
Annually 12.2 Perform a risk assessment.
Annually 12.6 Administer employee security awareness training.
Annually 12.8.4 Maintain a program to monitor service providers’ PCI DSS compliance status.
Annually 12.10 Review and test the incident response plan.

Ensuring that frequency-defined requirements are complete is always easier than building a time machine for a missed item. For most customers, a non-compliant RoC is not an option, especially if the non-compliance was a result of overlooking frequency-based items that could have easily been performed.

You can refer to the Payment Card Industry Data Security Standard here https://www.pcisecuritystandards.org for all frequency-defined requirements and more information.