.png?width=190&height=44&name=FM_CMYK-Horizontal-white%20text%20(2).png "FM_CMYK-Horizontal-white text (2)"){kind=small}
Justin Bonk, CISSP, PCI-QSA, CIA, CISA, CIPP/US
Senior Manager, Freed Maxick Risk Advisory Services
Requirements Overview and Complete, Downloadable PDF Guide
PCI DSS 3.2.1 assessments are, in general, point-in-time assessments. Meaning that an organization is considered ‘compliant’ if they have all the applicable sub-requirements in place as of the report issuance date (the ‘point-in-time).
Let’s say for instance, you have policies in place when you start an assessment, however, they don’t address all necessary aspects required by PCI, rendering your organization technically ‘non-compliant’ for the related sub-requirement. Given the point-in-time nature of a PCI DSS assessment, you can make the necessary updates to your policy, and once completed, you are considered compliant for that sub-requirement.
Perhaps you have a system component that’s not configured in a PCI-compliant manner. Update your configuration, and, once the configuration has been updated, you’re now considered compliant.
There are, however, several PCI DSS-related activities that must be performed on a daily, quarterly, semi-annual or annual basis. If these activities aren’t performed within the requisite period, you may find yourself non-compliant with little to no options for remediation.
For the items below, it is critical that you perform the activity at the required frequency and equally important that you retain adequate levels of documentation surrounding the activity. We discuss each of these time-sensitive compliance requirements of PCI DSS 3.2.1 below:
Summary Overview of Time Sensitive PCI Compliance Requirements
|
Daily |
Quarterly |
Semi-Annual |
Annual |
|
Daily log / security event review
|
Internal vulnerability scans
Approved scanning vendor (ASV) external vulnerability scans
Wireless access point scanning
Deletion of cardholder data that exceeds defined retention
Review of adherence to security policies |
Firewall / router rule set review
Network segmentation testing |
Penetration testing
Updating of information security policy
Secure coding practices training
Information security training
Employee acknowledgment of security policy
Review of backup storage locations
Inventory of backup media
Incident response plan testing
Service provider PCI compliance verification |
If you are charged with your organization’s PCI compliance, we recommend adding calendar reminders for each of the items above.
For Further Information or Assistance with PCI Compliance Requirements
For additional information on PCI compliance requirements or a complimentary discussion about the status and needs of your current PCI compliance program, please contact Justin Bonk, Senior Manager via email Justin.Bonk@freedmaxick.com or phone 716.332.2680.