To maintain PCI DSS compliance, there are a number of tasks which must be conducted on a regular basis.
I’ve taken the liberty of collating all of these regular tasks into one table. Where the frequency of a task is “regular” or “periodic”, I have made a recommendation based upon my experience as a QSA. Dependant upon the environment and threat landscape, it could be justified for these indeterminate frequencies to shift in either direction.
| Task | Merchant | Service Provider | Notes |
|---|---|---|---|
| CDE Log Reviews | Daily | Daily | Review logs of system components within the CDE, and supporting the CDE. Investigate and if necessary escalate any anomalies identified. |
| Anti-Malware Scans | Daily | Daily | Daily is recommended, although PCI DSS states “periodic”. Document and justify what “periodic” is, and ensure system components are configured in alignment with that. |
| Anti-Malware Engine & Signature Updates | Daily | Daily | Daily is recommended, although PCI DSS states “regularly”. Document and justify what “regular” is, and ensure system components are configured in alignment with that. |
| Remove or disable inactive user accounts | Daily | Daily | No active accounts can be present on the system which have not been logged into for 90 days. |
| PED terminal inspections | Daily | Daily | Daily is recommended, although PCI DSS states “regularly”. Document and justify what “regular” is, and ensure that PED terminals are inspected in alignment with that. |
| BAU Log Reviews | Weekly | Weekly | Weekly is recommended, although PCI DSS states “periodic”. Document and justify what “periodic” is, and ensure BAU logs are reviewed in alignment with that. |
| Change Detection Mechanism (FIM) | Weekly | Weekly | Most FIM tools operate on-access rather than conduct periodic scanning. |
| Patching (Security) | Monthly | Monthly | CVSS ≥ 4.0 for internet-facing system components. CVSS ≥ 7.0 for internal system components. Anything which has been identified as “High” or “Critical” by penetration testing. |
| Evaluations of system components not commonly affected by malware | Monthly | Monthly | Monthly is recommended, although PCI DSS states “periodic”. Document and justify what “periodic” is, and ensure system components are configured in alignment with that. |
| Patching (General) | Monthly | Monthly | It is recommended to apply all patches rather than just security patches, although patches with no security impact can be delayed as long as the frequency is documented and justified. Be careful that patches do not impact availability. |
| Stored CHD Disposal (outside data retention policy) | Quarterly | Quarterly | Any stored cardholder data which falls outside the scope of the data retention policy must be deleted and rendered forensically irretrievable. |
| Vulnerability Assessment: Internal | Quarterly | Quarterly | Must be conducted by someone with operational independence. |
| Vulnerability Assessment: External (ASV) | Quarterly | Quarterly | Must be conducted by a PCI ASV “Approved Scanning Vendor” in good standing with the PCI SSC. See the ASV Programme Guide for further details. |
| Wireless Assessment | Quarterly | Quarterly | This can be replaced with the use of an automated Wireless monitoring tools or network access control. |
| Password changes | Quarterly | Quarterly | Any passwords over 90 days old must be changed. |
| Review of security processes | N/A | Quarterly | Review security processes to ensure the policies and procedures are being followed by staff. Document the results of the review. |
| Firewall configuration reviews | Bi-Annually | Bi-Annually | Review firewall configurations to ensure the rule tables are appropriate for the business need. |
| Review of storage facilities used to store cardholder data on removable media or hardcopy. | Bi-Annually | Bi-Annually | Bi-Annually is recommended, although PCI DSS states “periodic”. Document and justify what “periodic” is, and ensure that reviews are conducted in alignment with that. |
| Review of inventory of removable media or hardcopy used to store cardholder data | Bi-Annually | Bi-Annually | Bi-Annually is recommended, although PCI DSS states “periodic”. Document and justify what “periodic” is, and ensure that reviews are conducted in alignment with that. |
| Network Segmentation Test | Annually | Bi-Annually | This is a requirement where network segmentation is used to limit the scope of PCI DSS. |
| Penetration Test: Internal | Annually | Annually | At least annually, or after any major change to the CDE. |
| Penetration Test: External | Annually | Annually | At least annually, or after any major change to the CDE |
| Review and update network diagrams and flow diagrams | Annually | Annually | At least annually, or after any major change to the CDE |
| Review and update Information Security Policy and supporting policies and procedures | Annually | Annually | At least annually, or after any major change to the CDE, or after an incident response review, or after a change to the threat landscape. |
| Risk assessment | Annually | Annually | At least annually, or after any major change to the CDE, or after a change to the threat landscape |
| Updated Attestation of Compliance “AoC” from Service Providers | Annually | Annually | This should be conducted when the current service provider AoC expires |
| Training: Information Security Awareness | Annually | Annually | At least annually, and on hire. This general security awareness training must include best practice for cardholder data handing. |
| Training: Secure Software Development | Annually | Annually | At least annually for software development staff operating within the CDE. |
| Training: Breach Responsibilities | Annually | Annually | At least annually for staff assigned to incident response. |
| Test incident response plan | Annually | Annually | At least annually. |
| Staff acknowledgement of information security policies and procedures | Annually | Annually | At least annually, and on hire. |
| Cryptographic Key Changes | Annually | Annually | At least annually, or when the encryption algorithms are weakened. |
Note that this table assumes a SAQ-D equivalent environment with all PCI DSS controls being in-play. The shape of the regular tasks can change quite dramatically if the eligibility criteria for other SAQs can be met. Talk to your friendly neighbourhood PCI DSS QSA to understand your de-scoping options.
