Time Sensitive PCI Compliance Checklist for 2022

Back to main Blog

Senior Manager, Freed Maxick Risk Advisory Services


Requirements Overview and Complete, Downloadable PDF Guide

PCI DSS 3.2.1 assessments are, in general, point-in-time assessments. Meaning that an organization is considered ‘compliant’ if they have all the applicable sub-requirements in place as of the report issuance date (the ‘point-in-time).

Let’s say for instance, you have policies in place when you start an assessment, however, they don’t address all necessary aspects required by PCI, rendering your organization technically ‘non-compliant’ for the related sub-requirement. Given the point-in-time nature of a PCI DSS assessment, you can make the necessary updates to your policy, and once completed, you are considered compliant for that sub-requirement.

Perhaps you have a system component that’s not configured in a PCI-compliant manner. Update your configuration, and, once the configuration has been updated, you’re now considered compliant.

New call-to-actionThere are, however, several PCI DSS-related activities that must be performed on a daily, quarterly, semi-annual or annual basis. If these activities aren’t performed within the requisite period, you may find yourself non-compliant with little to no options for remediation.

For the items below, it is critical that you perform the activity at the required frequency and equally important that you retain adequate levels of documentation surrounding the activity. We discuss each of these time-sensitive compliance requirements of PCI DSS 3.2.1 below:

Summary Overview of Time Sensitive PCI Compliance Requirements

PCI Requirements

PCI Requirements

PCI Requirements

PCI Requirements

Daily log / security event review


Internal vulnerability scans


Approved scanning vendor (ASV) external vulnerability scans


Wireless access point scanning


Deletion of cardholder data that exceeds defined retention


Review of adherence to security policies

Firewall / router rule set review


Network segmentation testing

Penetration testing


Updating of information security policy


Secure coding practices training


Information security training


Employee acknowledgment of security policy


Review of backup storage locations


Inventory of backup media


Incident response plan testing


Service provider PCI compliance verification

If you are charged with your organization’s PCI compliance, we recommend adding calendar reminders for each of the items above.

For Further Information or Assistance with PCI Compliance Requirements

For additional information on PCI compliance requirements or a complimentary discussion about the status and needs of your current PCI compliance program, please contact Justin Bonk, Senior Manager via email Justin.Bonk@freedmaxick.com or phone 716.332.2680.

Stay up to date