Keeping on track for PCI DSS compliance can be a challenge for both large and small organizations. It's no wonder that only 27.9% of organizations were fully compliant with PCI DSS during their "interim compliance validation" in 2019 – despite the best of efforts.
In this resource, the compliance experts at A-LIGN have laid out various timetables associated with PCI DSS compliance. We’ve broken them down into bite-sized reminders for trigger-based events, timeouts, recurring tasks, and retention timeframes. Use this resource to look ahead on your calendar, put processes in place, and make plans in advance so nothing falls through the cracks.
A Cheat Sheet of Timeframes to Meet PCI DSS Requirements
PCI DSS by the Numbers
Questions about PCI DSS? Our experts are here to help.
Expiration
Recurrence
Retention
How quickly you need to respond to issues, incidents, or important events
System Authentication
Revoke access for terminated users
Requirement: 8.1.3
Requirement: 8.1.3
Immediately revoke access for any terminated users.
When it comes to PCI Compliance,
you need a partner, not just an auditor.
A-LIGN’s experts are here to help you with PCI DSS or any of your cybersecurity or compliance needs. Fill out this form and we’ll reach out within 24 hours.
Ready to Talk
to an Expert?
Requirement: 9.3
Access is revoked immediately upon termination, and all physical access mechanisms, such as keys, access cards, etc., are returned or disabled.
Physical Access
Revoke physical access for terminated employees
Requirement: 9.3
Security Policy
Respond to suspected breach
Requirement: 12.10
Requirement: 12.10
Implement an incident response plan. Be prepared to respond immediately to a system breach.
Maintaining Systems & Applications
Install critical vendor security patches within 1 month of release
Requirement: 6.2
Requirement: 6.2
Ensure that all system components and software are protected from known vulnerabilities by installing applicable vendor supplied security patches with appropriate time frames. Install all critical security patches within one month of release.
Immediate
6 Months
Annually
Prior to Deployment
Upon Hire
First Use
Periodically
Appropriate Time Frame
Immediate
1 Month
1 Month
6 Months
Annually
Prior to Deployment
Upon Hire
First Use
Periodically
Appropriate Time Frame
Testing Systems & Processes
Perform segmentation testing on segmentation controls
Requirement: 11.3.4.1
Requirement: 11.3.4.1
Additional requirement for service providers only: If segmentation controls are utilized within the CDE, test and confirm effectiveness of the segmentation controls at least every six months and after any changes to segmentation controls/methods.
*Service Providers Only
General
At least annually and prior to the annual assessment, the assessed entity should confirm the accuracy of their PCI DSS scope by identifying all locations and flows of cardholder data, and identify all systems that are connected to or, if compromised, could impact the CDE (for example, authentication servers) to ensure they are included in the PCI DSS scope. All types of systems and locations should be considered as part of the scoping process, including backup/recovery sites and failover systems.
Requirement: Scope of PCI DSS Requirements
Requirement: Scope of PCI DSS Requirements
To confirm the accuracy of the defined CDE, perform the following:
• The assessed entity identifies and documents the existence of all cardholder data
in their environment, to verify that no cardholder data exists outside of the
currently defined CDE.
Security Policy
Perform risk assessment
Requirement: 12.2
Requirement: 12.2
Implement a risk-assessment process that:
• Is performed at least annually and
upon significant changes to the
environment
• Identifies critical assets, threats,
and vulnerabilities
• Results in a formal, documented
analysis of risk
Testing Systems & Processes
Perform external penetration testing
Requirement: 11.3.1
Requirement: 11.3.1
Perform external penetration testing after any significant infrastructure or application upgrade or modification (such as an operating system upgrade, a sub-network added to the environment, or a web server added to the environment).
Testing Systems & Processes
Perform internal penetration testing
Requirement: 11.3.2
Requirement: 11.3.2
Perform internal penetration testing after any significant infrastructure or application upgrade or modification (such as an operating system upgrade, a sub-network added to the environment, or a web server added to the environment).
Testing Systems & Processes
Perform segmentation testing on all segmentation methods
Requirement: 11.3.4
Requirement: 11.3.4
If segmentation is used to isolate the CDE from other networks, perform penetration tests after any changes to segmentation controls/methods to verify that the segmentation methods are operational and effective, and isolate all out-of-scope systems from systems in the CDE.
Maintaining Systems & Applications
Review public-facing web applications via manual or automated application layer vulnerability security assessment tools or methods
Requirement: 6.6
Requirement: 6.6
Reviewing public-facing web applications via manual or automated application layer vulnerability security assessment tools or methods, at least annually and after any changes.
Testing Systems & Processes
Internal network vulnerability scans after changes or corrective rescans as required
Requirement: 11.2
Requirement: 11.2
Run internal network vulnerability scans after any significant change in the network (such as new system component installations, changes in network topology, firewall rule modifications, product upgrades).
Testing Systems & Processes
External ASV scans after changes or corrective rescans as required
Requirement: 11.2.3
Requirement: 11.2.3
Perform external ASV scans after any significant change to the environment, and rescans as needed, to confirm any previous scan failures have been properly remediated. Scans must be performed by qualified personnel.
Security Policy
Review policies and procedures
Requirement: 12.1.1
Requirement: 12.1.1
Review the security policy when there are significant changes within the environment that could affect policies and procedures.
Security Policy
Perform risk assessment
Requirement: 12.2
Requirement: 12.2
Implement a risk-assessment process that:
• Upon significant changes to the
environment (for example,
acquisition, merger, relocation, etc.)
• Identifies critical assets, threats, and
vulnerabilities
• Results in a formal, documented
analysis of risk
Response
Response
Expiration
Retention
Recurrence
Security Policy
Conduct security awareness training
Requirement: 12.6.1
Requirement: 12.6.1
Educate personnel upon hire.
System Authentication
Change new/forgotten passwords/passphrase
Requirement: 8.2.6
Requirement: 8.2.6
Set passwords/passphrases for
first-time use and upon reset to a unique value for each user, and change immediately after the first use.
Physical Access
Destruction requirements
Requirement: 9.8
Requirement: 9.8
Destroy media when it is no longer needed for business or legal reasons.
Security Policy
Conduct training to staff with
security breach responsibilities
(at least annually)
Requirement: 12.10.4
Requirement: 12.10.4
Provide appropriate training to
staff with security breach response responsibilities.
Maintaining Systems & Applications
Install applicable vendor-supplied
non-critical security patches (as defined in the organizations risk ranking process).
Requirement: 6.2.a
Requirement: 6.2.a
Examine policies and procedures related to security patch installation
to verify processes are defined for:
• Installation of all applicable non-critical
vendor-supplied security patches
within an appropriate time frame (for
example, within three months).
System Authentication
Reauthentication required after
idle session
Requirement: 8.1.8
Requirement: 8.1.8
If a session has been idle for more than 15 minutes, require the user to
re-authenticate to re-activate the terminal or session.
15 Minutes
15 Minutes
30 Minutes
Quarterly
Periodically
Appropriate Time Frame
How long before policies or system configurations must be terminated
30 Minutes
Quarterly
Periodically
Appropriate Time Frame
System Authentication
Account lockout duration after exceeding invalid password attempt threshold
Requirement: 8.1.7
Requirement: 8.1.7
Set the lockout duration to a minimum of 30 minutes or until an administrator resets the user ID.
System Authentication
Change passwords/passphrases
Requirement: 8.2.4
Requirement: 8.2.4
Users must be required to change passwords/passphrases at least once every 90 days.
System Authentication
Change non-consumer customer user passwords/passphrases
Requirement: 8.2.4.b
Requirement: 8.2.4.b
Additional testing procedure for service provider assessments only.
Review internal processes and customer/user documentation
to verify that:
• Non-consumer customer user passwords/passphrases are
required to change periodically
• Non-consumer customer users are given guidance as to
when, and under what circumstances, passwords/passphrases
must change
*Service Providers Only
Maintaining Systems & Applications
Incorporate timeouts and rotation of session IDs after a successful login
Requirement: 6.5.10
Requirement: 6.5.10
Broken authentication and session management.
Access Tracking & Monitoring
Review logs
• All security events
• Logs of all system components that store, process,
or transmit CHD and/or SAD
• Logs of all critical system components
• Logs of all servers and system components that perform
security functions (ex: firewalls, IDS/IPS, authentication
servers, etc.)
Requirement: 10.6.1
Requirement: 10.6.1
Review the following at least daily
• All security events
• Logs of all system components that store, process, or transmit CHD and/or SAD
• Logs of all critical system components
• Logs of all servers and system components that perform
security functions (firewalls, intrusion-detection systems
/intrusion-prevention systems (IDS/IPS), authentication
servers, e-commerce redirection servers, etc.).
Daily
Testing Systems & Processes
Perform critical file comparisons for unauthorized modification (including changes, additions and deletions) of critical system files, configuration files, or content files (usually by use of FIM tools) at least weekly
Requirement: 11.5
Requirement: 11.5
Deploy a change-detection mechanism (e.g. file-integrity monitoring tools) to alert personnel of potential unauthorized modification (including changes, additions, and deletions) of critical system files, configuration files, or content files; and configure the software to perform these critical file comparisons at least weekly.
Weekly
Daily
Quarterly
6 Months
Annually
Periodically
How frequently information should be evaluated or tasks should be performed
Weekly
Security Policy
Document results of quarterly internal reviews and sign off by personnel assigned responsibility for the PCI DSS compliance program
Requirement: 12.11.1
Requirement: 12.11.1
Additional requirement for service providers only.
Maintain documentation of quarterly internal audit review process to include:
• Documenting results of the reviews
• Review and sign-off of results by
personnel assigned responsibility for
the PCI DSS compliance program
Testing Systems & Processes
External ASV Scans
Requirement: 11.2
Requirement: 11.2
Run external network vulnerability scans by an Approved Scanning Vendor (ASV) at least quarterly and after any significant change in the network (such as new system component installations, changes in network topology, firewall rule modifications, product upgrades).
Testing Systems & Processes
Internal network vulnerability scans
Requirement: 11.2
Requirement: 11.2
Run internal network vulnerability scans at least quarterly and after
any significant change in the network (such as new system component installations, changes in network topology, firewall rule modifications, product upgrades).
Security Policy
Perform internal audit reviews to ensure adherence by personnel to organizations security policies and operational procedures.
Requirement: 12.11
Requirement: 12.11
Additional requirement for service providers only.
Perform reviews at least quarterly to confirm personnel are following security policies and operational procedures.
Protect Stored Data
Process to ensure proper secure deleting of stored cardholder data that exceeds organizations defined retention policy
Requirement: 3.1
Requirement: 3.1
Keep cardholder data storage to a minimum by implementing data retention and disposal policies, procedures and processes that include at least the following for all cardholder data (CHD) storage:
• A quarterly process for identifying and
securely deleting stored cardholder
data that exceeds defined retention.
System Authentication
Remove/disable inactive user accounts
Requirement: 8.1.4
Requirement: 8.1.4
Remove/disable inactive user accounts if inactive for over 90 days.
Testing Systems & Processes
Detect and identify authorized and unauthorized wireless access points
Requirement: 11.1
Requirement: 11.1
Implement processes to test for the presence of wireless access points (802.11), and detect and identify all authorized and unauthorized wireless access points on at least a quarterly basis.
Quarterly
*see also After Significant Changes
*see also After Significant Changes
*Service Providers Only
*Service Providers Only
Firewall Configuration
Review firewall and router rule sets
Requirement: 1.1.7
Requirement: 1.1.7
Requirement to review firewall and router rule sets at least every six months (semi-annually).
6 Months
Annually
Periodically
Protect Stored Data
Change cryptographic keys (based on defined crypto period in policy and should be determined by organizations risk assessment)
Requirement: 3.6.4
Requirement: 3.6.4
Cryptographic key changes for keys that have reached the end of their cryptoperiod (for example, after a defined period of time has passed and/or after a certain amount of cipher-text has been produced by a given key), as defined by the associated application vendor or key owner, and based on industry best practices and guidelines.
Security Policy
Personnel acknowledgment of policies and procedures
Requirement: 12.6.2
Requirement: 12.6.2
Require appropriate personnel
to acknowledge at least annually
that they have read and understood the organizations security policy
and procedures.
Security Policy
Review and test incident response plan
Requirement: 12.10.2
Requirement: 12.10.2
Review and test the IRP plan, including all elements listed in Requirement 12.10.1, at least annually.
Security Policy
Perform vendor risk assessment
Requirement: 12.8.4
Requirement: 12.8.4
Maintain a program to monitor service providers’ PCI DSS compliance status at least annually.
Maintaining Systems & Applications
Conduct secure code training for developers
Requirement: 6.5
Requirement: 6.5
Train developers at least annually in
up to date secure coding techniques.
Training for developers may be provided in-house or by third
parties and should be applicable
for technology used.
Physical Access
Review offsite media storage locations
Requirement: 9.5.1
Requirement: 9.5.1
Store media backups in a secure location, preferably an off-site facility, such as an alternate or backup site, or a commercial storage facility. Reviewing the storage facility at least annually enables the organization to address identified security issues in a timely manner, minimizing the potential risk.
Physical Access
Review media inventories
Requirement: 9.7.1
Requirement: 9.7.1
Properly maintain inventory logs of all media and conduct an inventory of media at least annually. Without careful inventory methods and storage controls, stolen or missing media could go unnoticed for an indefinite amount of time. If media is not inventoried, stolen or lost media may not be noticed for a long time or at all.
Physical Access
Inventory media
Requirement: 9.7
Requirement: 9.7
Maintain strict control over the storage and accessibility of media.
Physical Access
Inspect device to detect tampering
or substitution
Requirement: 9.9.2
Requirement: 9.9.2
Periodically inspect device surfaces to detect tampering (for example, addition of card skimmers to devices), or substitution (for example, by checking the serial number or other device characteristics to verify it has not been swapped with a fraudulent device).
Access Tracking & Monitoring
Review logs of other system components not covered in 10.6.1 (non-critical system component, not transmitting CHD, or performing any network or security functions)
Requirement: 10.6.2
Requirement: 10.6.2
Review logs of all other system components periodically based
on the organization’s policies
and risk management strategy,
as determined by the organization’s annual risk assessment.
Malware Protection
& Anti-Virus Software
Identify and evaluate evolving
malware threats in order to confirm whether such systems continue to
not require anti-virus software
Requirement: 5.1.2
Requirement: 5.1.2
For systems considered to be not commonly affected by malicious software, perform periodic evaluations to identify and evaluate evolving malware threats in order to confirm whether such systems continue to not require anti-virus software.
Malware Protection
& Anti-Virus Software
Perform anti-virus scans
Requirement: 5.2
Requirement: 5.2
Ensure that all anti-virus mechanisms are maintained as follows:
• Are kept current
• Perform periodic scans
• Generate audit logs which are
retained per PCI DSS
Requirement 10.7
Quarterly
Access Tracking & Monitoring
Retain audit trail log history for at least one year
Requirement: 10.7
Requirement: 10.7
Retain all audit trail history for all
in-scope systems for at least one year (a minimum of three months immediately available for analysis online). Log records can be archived after 90 days if they can be restorable from backup in a timely manner.
1 Year
1 Year
Quarterly
Periodically
How long you need to hold on to sensitive or archived information
Periodically
Physical Access
Video surveillance recording and/or access control system log retention
Requirement: 9.1.1
Requirement: 9.1.1
Use either video cameras or access control mechanisms (or both) to monitor individual physical access
to sensitive areas. Review collected data and correlate with other entries. Store for at least three months,
unless otherwise restricted by law.
Physical Access
Visitor log retention
Requirement: 9.4.4
Requirement: 9.4.4
A visitor log is used to maintain a record or physical audit trail of visitor activity to the facility as well as computer rooms and data centers. Document the visitor’s name, the firm represented, and the onsite personnel authorizing physical access on the log. Retain record for a minimum of three months, unless otherwise restricted by law.
Access Tracking & Monitoring
Audit trail logs available for immediate analysis
Requirement: 10.7
Requirement: 10.7
Retain all audit trail history for all
in-scope systems for at least one year, with a minimum of three
months immediately available for analysis (for example, online and immediately available).
Protect Stored Data
Retention requirements
*Based on business requirement
Requirement: 3.1
Requirement: 3.1
Keep cardholder data storage to a minimum by implementing data retention and disposal policies, procedures and processes that include at least the following for all cardholder data (CHD) storage:
• Limiting data storage amount and retention time to that which is
required for legal, regulatory, and/or business requirements
• Specific retention requirements for cardholder data
• Processes for secure deletion of data when no longer needed
• A quarterly process for identifying and securely deleting stored
cardholder data that exceeds defined retention
Schedule a Consultation
When it comes to PCI Compliance,
you need a partner, not just an auditor.
A-LIGN’s experts are here to help you with PCI DSS or any of your cybersecurity or compliance needs. Fill out this form and we’ll reach out within 24 hours.
Ready to Talk
to an Expert?
Schedule a Consultation
Keeping on track for PCI DSS compliance
can be a challenge for both large and small organizations. It's no wonder that only 27.9% of organizations were fully compliant with
PCI DSS during their "interim compliance validation" in 2019 – despite the best of efforts.
In this resource, the compliance experts at
A-LIGN have laid out various timetables associated with PCI DSS compliance. We’ve broken them down into bite-sized reminders
for trigger-based events, timeouts, recurring tasks, and retention timeframes. Use this resource to look ahead on your calendar, put processes in place, and make plans in advance so nothing falls through the cracks.
A Cheat Sheet of Timeframes
to Meet PCI DSS Requirements
PCI DSS by
the Numbers
Contact Us
Revoke access for terminated users.
Requirement: 8.1.3
System Authentication
Revoke physical access for terminated employees.
Physical Access
Requirement: 9.3
Respond to suspected breach.
Requirement: 12.10
Security Policy
Install critical vendor security patches
within 1 month of release.
Requirement: 6.2
1 Month
Maintaining Systems & Applications
6 Months
Perform segmentation testing on
segmentation controls. Service
Providers Only.
Requirement: 11.3.4.1
Testing Systems & Processes
At least annually and prior to the annual assessment, the assessed entity should confirm the accuracy of their PCI DSS scope by identifying all locations and flows of cardholder data, and identify all systems that are connected to or, if compromised, could impact the CDE (for example, authentication servers) to ensure they are included in the PCI DSS scope. All types of systems and locations should be considered as part of the scoping process, including backup/recovery sites and failover systems.
Requirement: Scope of PCI DSS Requirements
General
Immediate
Annually
Security Policy
Perform risk assessment.
Perform segmentation testing on
segmentation controls.
Requirement: 11.3.4
Testing Systems & Processes
2 of 2
1 of 2
Annually
Response
How quickly you need to respond to issues, incidents, or important events.
Review public-facing web applications
via manual or automated application
layer vulnerability security assessment
tools or methods.
Requirement: 6.6
Maintaining Systems & Applications
Prior to Deployment
Perform external penetration testing
Requirement: 11.3.1
External ASV scans after changes or
corrective rescans as required.
Requirement: 11.2.3
Perform internal penetration testing
Requirement: 11.3.2
Internal network vulnerability scans after changes or corrective rescans as required.
Requirement: 11.2
Testing Systems & Processes
Prior to Deployment
Perform segmentation testing on all segmentation methods
Requirement: 11.3.4
1 of 3
2 of 3
Upon Hire
Conduct security awareness training.
Requirement: 12.6.1
Security Policy
First Use
Change new/forgotten passwords/passphrase
Requirement: 8.2.6
System Authentication
Destruction requirements.
Requirement: 9.8
Physical Access
Conduct training to staff with security breach responsibilities (at least annually).
Requirement: 12.10.4
Security Policy
Periodically
Appropriate Time Frame
Reauthentication required after idle session.
Requirement: 8.1.8
System Authentication
15 Minutes
How long before policies or system configurations must be terminated
Account lockout duration after exceeding invalid password attempt threshold.
Requirement: 8.1.7
System Authentication
30 Minutes
Change passwords/passphrases.
Requirement: 8.2.4
System Authentication
Quarterly
Change non-consumer customer user passwords and/or passphrases. Service Providers Only.
Requirement: 8.2.4.b
System Authentication
Periodically
Incorporate timeouts and rotation of session IDs after a successful login.
Requirement: 6.5.10
Maintaining Systems & Applications
Appropriate Time Frame
How frequently information should be evaluated or tasks should be performed
Review logs
• All security events
• Logs of all system components that store,
process, or transmit CHD and/or SAD
• Logs of all critical system components
• Logs of all servers and system
components that perform security
functions (ex: firewalls, IDS/IPS, etc.)
Requirement: 10.6.1
Access Tracking & Monitoring
Daily
Perform critical file comparisons for unauthorized modification (including changes, additions and deletions) of
critical system files, configuration files,
or content files (usually by use of FIM
tools) at least weekly.
Requirement: 11.5
Testing Systems & Processes
Weekly
Process to ensure proper secure deleting
of stored cardholder data that exceeds organizations defined retention policy.
Requirement: 3.1
Protect Stored Data
1 of 2
Perform internal audit reviews to ensure adherence by personnel to organizations security policies and operational procedures. Service Providers Only.
Requirement: 12.11
Security Policy
Quarterly
Document results of quarterly internal reviews and sign off by personnel assigned responsibility for the PCI DSS compliance program. Service Providers Only.
Requirement: 12.11.1
Remove/disable inactive user accounts.
Requirement: 8.1.4
System Authentication
2 of 2
Detect and identify authorized and unauthorized wireless access points.
Requirement: 11.1
Requirement: 11.2
Testing Systems & Processes
External ASV Scans. See also After
Significant Changes.
Quarterly
Requirement: 11.2
Internal network vulnerability scans. See also After Significant Changes.
Review firewall and router rule sets.
Requirement: 1.1.7
Firewall Configuration
6 Months
Annually
Review logs of other system components
not covered in 10.6.1 (non-critical system component, not transmitting CHD, or performing any network or security functions).
Requirement: 10.6.2
Access Tracking & Monitoring
Identify and evaluate evolving malware threats in order to confirm whether such systems continue to not require anti-virus software.
Requirement: 5.2
Requirement: 5.1.2
Malware Protection & Anti-Virus Software
Review media inventories.
Periodically
Perform anti-virus scans.
1 of 2
Inventory media.
Requirement: 9.7
Physical Access
Change cryptographic keys (based on
defined crypto period in policy and should be determined by organizations risk assessment).
Requirement: 3.6.4
Protect Stored Data
Review media inventories.
Periodically
2 of 2
Requirement: 9.9.2
Inspect device to detect tampering
or substitution.
When it comes to PCI Compliance, you
need a partner, not just an auditor. A-LIGN’s experts are here to help you with PCI DSS
or any of your cybersecurity or compliance needs. Fill out this form and we’ll reach out within 24 hours.
Ready to Talk
to an Expert?
Expiration
Recurrence
Retention
Retention requirements. Based on business requirement.
Requirement: 3.1
Protect Stored Data
Periodically
Retain audit trail log history for at least
one year.
Requirement: 10.7
Access Tracking & Monitoring
1 Year
Visitor log retention.
Requirement: 9.4.4
Physical Access
Quarterly
How quickly you need to respond to issues, incidents, or important events
Video surveillance recording and/or access control system log retention.
Requirement: 9.1.1
Audit trail logs available for immediate analysis.
Requirement: 10.7
Access Tracking & Monitoring
Install applicable vendor-supplied
non-critical security patches (as defined
in the organizations risk ranking process).
Requirement: 6.2.a
Maintaining Systems & Applications
Security Policy
Background checks are conducted prior to hire
Requirement: 12.7
Requirement: 12.7
Background checks are conducted (within constraints of local laws) prior to hire on potential personnel who will have access to cardholder data or the cardholder data environment.
Build and Maintain a Secure
Network and Systems
Update system configuration standards as new vulnerability issues are identified
Requirement: 2.2.b
Requirement: 2.2.b
System configuration standards must be kept up to date to ensure that newly identified weaknesses are corrected prior to a system being installed on
the network. The organizations Risk Ranking Process defined in requirement 6.1 should require appropriate updates to configuration standards when appropriate.
Build and Maintain a Secure Network and Systems
Apply system configuration hardening standards prior to systems being deployed to production network
Requirement: 2.2
Requirement: 2.2
System configuration standards based off industry-accepted system hardening standards are to be applied when new systems are configured and in-place before a system is installed on the network.
Build and Maintain a Secure Network and Systems
Change vendor-supplied defaults and remove/disable default accounts before installing a system on the network
Requirement: 2.1
Requirement: 2.1
All default accounts (including accounts used by operating systems, security software, applications, systems, POS terminals, SNMP, etc.) are removed or disabled before being deployed to production.
Testing Systems & Processes
Perform external penetration testing
Requirement: 11.3.1
Requirement: 11.3.1
Perform external penetration testing at least annually and after any significant infrastructure or application upgrade or modification (such as an operating system upgrade, a sub-network added to the environment, or a web server added to the environment).
Security Policy
Review policies and procedures
Requirement: 12.1.1
Requirement: 12.1.1
Review the organizations security policy and procedures at least annually and update the policy and/or procedures when there are changes to the environment.
Security Policy
Conduct security awareness training for existing employees
Requirement: 12.6.1
Requirement: 12.6.1
Educate personnel upon hire and at least annually.
Testing Systems & Processes
Perform internal penetration testing
Requirement: 11.3.2
Requirement: 11.3.2
Perform internal penetration testing at least annually and after any significant infrastructure or application upgrade or modification (such as an operating system upgrade, a sub-network added to the environment, or a web server added to the environment).
Testing Systems & Processes
Perform segmentation testing on segmentation controls
Requirement: 11.3.4
Requirement: 11.3.4
If segmentation is used to isolate the CDE from other networks, perform segmentation tests at least annually and after any changes to segmentation controls/methods to verify that the segmentation methods are operational and effective, and isolate all out-of-scope systems from systems in the CDE.
Background checks are conducted prior
to hire.
Requirement: 12.7
Update system configuration standards as
new vulnerability issues are identified.
Requirement: 2.2.b
Build and Maintain a Secure Network
and Systems
Chane vendor-supplied defaults and remove/disable default accounts before installing a system on the network.
Requirement: 2.1
Build and Maintain a Secure Network
and Systems
Apply system configuration hardening standards prior to systems being deployed
to production network
Requirement: 2.2
Prior to Deployment
Security Policy
Review policies and procedures.
Requirement: 12.1.1
Perform risk assessment.
Requirement: 12.2
3 of 3
Annually
Conduct secure code training for developers.
Requirement: 6.5
Maintaining Systems & Applications
Review offsite media storage locations.
Requirement: 9.5.1
Requirement: 9.7.1
Physical Access
Review media inventories.
Personnel acknowledgment of policies
and procedures.
Requirement: 12.6.2
Requirement: 12.10.2
Security Policy
Review and test incident response plan.
Requirement: 12.8.4
Perform vendor risk assessment.
Requirement: 12.2
Perform external penetration testing.
Requirement: 11.3.1
Requirement: 11.3.2
Testing Systems & Processes
Perform internal penetration testing.
Requirement: 12.1.1
Review policies and procedures.
Requirement: 12.6.1
Conduct security awareness training for existing employees.
1 of 2
2 of 2
Contact Us
