The PCI DSS (Payment Card Industry Data Security Standard) sets a number of expectations for IT assessment. Activities, from scanning for rogue wireless access points to reviewing vendor contracts, are scattered throughout the PCI Data Security Standard document.
Below is an attempt to assemble those requirements into a single schedule. Where the standard didn’t specify a frequency, I used reasonable “best practices” values. I hope this is a useful starting place for organizations working toward compliance, but it is definitely not a holistic IT security plan! There are lots of other security activities that should be taking place at every organization – this is just a summary of those discussed in the PCI DSS.
See anything that I missed? Did I get something wrong? Let me know in the comments and we’ll work toward an accurate sample schedule together!!
Sample PCI DSS assessment schedule
| Frequency | Activity | IT Area | PCI DSS Requirement |
| For EACH production change in CHD environment. | Follow change control procedures for all changes to production system components including network devices, servers, application code, and databases.
|
Network Servers and Applications |
6.4 |
| For EACH network change in CHD environment. | Follow a formal process for approving, documenting, and testing all network connections and changes to the firewall and router configurations. Maintain an up-to-date, documented business case for each firewall rule.
Maintain a current network diagram with all connections to cardholder data, including any wireless networks. |
Network | 1.1.1
1.1.2 1.1.5 |
| For EACH production change to CHD-handling code. | Review of custom code prior to release to production or customers in order to identify any potential coding vulnerability. | Applications | 6.3.7 |
| Daily | Review logs for all system components in the CHD environment at least daily. Log reviews must include those servers and network devices that perform security functions. Automated log review/alerting meets this requirement. | Network, Servers, and Applications |
10.6 |
| Daily | Monitor vendor security announcements and public vulnerability notifications. | Network, Servers, Desktop, and Applications |
6.2 |
| Monthly | Apply critical vendor patches within a month of release – including database, application, operating system, and network device patches. | Network, Servers, Desktop, and Applications |
6.1 |
| Quarterly and after EACH significant change | Run internal and external network vulnerability scans at least quarterly and after any significant change in the network (such as new system component installations, changes in network topology, firewall rule modifications, product upgrades). | Network, Servers, and Applications |
11.2 |
| Quarterly | Remove/disable inactive user accounts at least every 90 days. | Applications | 8.5.5 |
| Quarterly | Manually change user passwords at least every 90 days where automated password expiration is not in place. | Network, Servers, and Applications |
8.5.9 |
| Semi-annually | Validate AntiVirus function and renew licenses if necessary. | Servers (Windows), Desktop |
5.2 |
| Semi-annually | Review of firewall and router rule sets/configurations at least every six months. | Network | 1.1.6 |
| Annually and after EACH production change to CHD-handling web applications. | Review public-facing web applications via manual or automated application vulnerability security assessment tools or methods, at least annually and after any changes. | Applications | 6.6 |
| Annually and after EACH significant change to CHD infrastructure or applications. | Perform external and internal penetration testing at least once a year and after any significant infrastructure or application upgrade or modification (such as an operating system upgrade, a subnetwork added to the environment, or a web server added to the environment). | Network, Servers, and Applications |
11.3 |
| Annually | Review vendor contracts to ensure applications and support practices meet PCI DSS requirements, and that vendor will continue to provide up-to-date security patches. Review service provider (vendors with access to CHD) contracts and documentation to ensure their ongoing PCI DSS compliance. | Legal | 6.3
12.8 |
| Annually | Review/update IT security policy and security incident response plan at least annually or whenever the environment changes. |
Policy / Legal |
12.1.3
12.9.1 |
| Annually | Perform cryptographic key changes for all keys/certificates used to protect CHD (including SSL certificates, encryption keys, VPN certificates, SSH keys, etc.) at least annually. | Network, Servers, and Applications |
3.6.4 |
| Annually and upon new hire. |
Implement a formal security awareness program to make all employees aware of the importance of cardholder data security. Educate employees upon hire and at least annually. | Policy | 12.6 |
![[Slashdot]](/wp-content/plugins/slashdot.ico){kind=small}
![[Digg]](/wp-content/plugins/digg.ico){kind=small}
![[Reddit]](/wp-content/plugins/reddit.ico){kind=small}
![[del.icio.us]](/wp-content/plugins/delicious.gif){kind=small}
![[Technorati]](/wp-content/plugins/technorati.ico){kind=small}
![[StumbleUpon]](/wp-content/plugins/stumbleupon.ico){kind=small}
Leave a Comment