.png?width=190&height=44&name=FM_CMYK-Horizontal-white%20text%20(2).png "FM_CMYK-Horizontal-white text (2)"){kind=small}
Justin Bonk, CISSP, PCI-QSA, CIA, CISA, CIPP/US
Senior Manager, Freed Maxick Risk Advisory Services
If you're classified as a service provider you need to implement policies and procedures, and response mechanisms for addressing any failures in critical security mechanisms including firewalls, intrusion detection systems, intrusion prevention systems, and antivirus file integrity management systems.
Click to see a short video on PCI DSS 3.2’s Section 10.8 and 10.8.1 requirements
Freed Maxick 10.8 / 10.8.1 Guidance
Policies and procedures should be reviewed and updated in the event of process changes and should accurately reflect the organization’s current PCI environment. Detection mechanisms should be configured appropriately to alert trained and qualified personnel in the event of critical security control failure.
Critical security control failures should be responded to as soon as possible. Any lag time in response or remediation can lead to unauthorized control of system resources, data leakage, or the installation of malicious software. It is necessary that documentation is prepared to support security failure response from an employee and system level perspective.
PCI DSS Resources
To receive more insights and guidance on 10.8 and 10.8.1 compliance and other PCI DSS requirements, read our blog post and get a downloadable overview of all recent updates and revisions.
Freed Maxick services for PCI DSS Compliance can be found here. If you wish for a more detailed discussion of your organization’s situations and needs, contact us or call me at 716.847.2651.