Summing It Up

Time Sensitive PCI Compliance Checklist for 2022 | Freed Maxick

Written by Justin Bonk, CISSP, PCI-QSA, CIA, CISA, CIPP/US | Thu, Jul 07, 2022 @ 05:15 PM

Requirements Overview and Complete, Downloadable PDF Guide

PCI DSS 3.2.1 assessments are, in general, point-in-time assessments. Meaning that an organization is considered ‘compliant’ if they have all the applicable sub-requirements in place as of the report issuance date (the ‘point-in-time).

Let’s say for instance, you have policies in place when you start an assessment, however, they don’t address all necessary aspects required by PCI, rendering your organization technically ‘non-compliant’ for the related sub-requirement. Given the point-in-time nature of a PCI DSS assessment, you can make the necessary updates to your policy, and once completed, you are considered compliant for that sub-requirement.

Perhaps you have a system component that’s not configured in a PCI-compliant manner. Update your configuration, and, once the configuration has been updated, you’re now considered compliant.

There are, however, several PCI DSS-related activities that must be performed on a daily, quarterly, semi-annual or annual basis. If these activities aren’t performed within the requisite period, you may find yourself non-compliant with little to no options for remediation.

For the items below, it is critical that you perform the activity at the required frequency and equally important that you retain adequate levels of documentation surrounding the activity. We discuss each of these time-sensitive compliance requirements of PCI DSS 3.2.1 below:

Summary Overview of Time Sensitive PCI Compliance Requirements

Daily
PCI Requirements

Quarterly
PCI Requirements

Semi-Annual
PCI Requirements

Annual
PCI Requirements

Daily log / security event review

 

Internal vulnerability scans

 

Approved scanning vendor (ASV) external vulnerability scans

 

Wireless access point scanning

 

Deletion of cardholder data that exceeds defined retention

 

Review of adherence to security policies

Firewall / router rule set review

 

Network segmentation testing

Penetration testing

 

Updating of information security policy

 

Secure coding practices training

 

Information security training

 

Employee acknowledgment of security policy

 

Review of backup storage locations

 

Inventory of backup media

 

Incident response plan testing

 

Service provider PCI compliance verification


If you are charged with your organization’s PCI compliance, we recommend adding calendar reminders for each of the items above.

For Further Information or Assistance with PCI Compliance Requirements

For additional information on PCI compliance requirements or a complimentary discussion about the status and needs of your current PCI compliance program, please contact Justin Bonk, Senior Manager via email Justin.Bonk@freedmaxick.com or phone 716.332.2680.