Many merchants and service providers choose the path of self-validating. They perform all validation steps themselves and record their progress in the Self-Assessment Questionnaires (SAQ) and report their status in the Attestation of Compliance. A PCI Compliance Annual Plan can help self-attesting businesses to ease their way into the basics of PCI compliance. It can provide the necessary guidance for organizations that undergo an annual PCI QSA assessment.
To help out we have listed all mandatory PCI compliance tasks. These tasks need to be performed periodically and should be part of your PCI annual plan.
PCI Annual Plan
Continuously
- Requirement 5.2—AV Updates and Scans.
Ensure that all anti-virus mechanisms are kept current and perform periodic scans. - Requirement 11.4—IDS updates.
Keep all intrusion detection and prevention engines, baselines and signatures up to date.
Daily
- Requirement 6.1—Monitoring of Security Sites and Sources for Emerging Threats to the Confidentiality of Cardholder Data (CHD).
Establish a process to identify security vulnerabilities using reputable outside sources for security vulnerability information, and assign a risk ranking to newly discovered security vulnerabilities. - Requirement 10.6—Review of Logs and/or Alerts from Log Monitoring, IDS and AV Systems.
Review logs and security events for all system components to identify anomalies or suspicious activity. Log harvesting, parsing and alerting tools may be used to meet this requirement.
Weekly
- Requirement 11.5—FIM Scanning.
If this is not an on-going, real-time process, file integrity monitoring scans must be run at least weekly. Deploy a change-detection mechanism to alert personnel to unauthorized modification of critical files. Configure the software to perform critical file comparisons at least weekly.
Monthly
- Requirement 6.2—Application of Critical Software Patches.
Ensure that all system components and software are protected from known vulnerabilities by installing applicable vendor-supplied security patches. Install critical security patches within one month of release.
Quarterly
- Requirement 11.1—Wireless Scanning.
A process needs to be executed to identify and remove any rogue wireless devices in the in-scope environment at least quarterly, and to scan for unauthorized wireless networks. - Requirement 11.2.1—Internal Scanning.
Must result in a clean scan at least quarterly for all relevant devices, if deficiencies are found they must be remediated, and another scan run to validate the issue was repaired. A year’s worth of reports must be retained and provided to the assessor during annual reviews. - Requirement 11.2.2—External Scanning.
These scans must be done using an Approved Scanning Vendor (ASV) product or service. Scans must result is a PASS for all relevant IPs and URLs at least quarterly. A year’s worth of reports must be retained and provided to the Assessor during annual reviews. - Requirement 3.1—Verify that Stored CHD Outside of the Retention Period is Securely Deleted.
A quarterly process for identifying and securely deleting stored cardholder data that exceeds defined retention needs must be developed and executed with evidence that it has been performed. - Requirement 12.11—Review policies and procedures (for Service Providers)
Perform reviews at least quarterly to confirm that personnel are following security policies and operational procedures. Reviews should address, at a minimum: Daily log reviews, firewall rule-set reviews, application of configuration standards on new systems, response to security alerts and change management processes. Reviews must be documented, resulting in an auditable, dated record of execution.
Semi-annually
- Requirement 1.1.7—Review Firewall and Router Configurations.
Perform and document firewall and router configuration reviews to verify that configurations are current, in line with documented standards, and comply with PCI requirements. - Requirement 11.3.4.1—Test the segmentation controls (for Service Providers)
Penetration testing is performed to verify the effectiveness of segmentation controls at least every six months and after any changes to segmentation controls/methods.
Annually
- Requirement 6.6—Review Public-Facing Web Apps.
This requirement can be met by using an automated solution, for example, a Web-Application Firewall, or by performing manual reviews. - Requirement 9.9 – Maintain an up-to-date list of payment terminals.
If your business uses payment terminals, it is required to make an annual inventory of the used terminals and to inspect them in order to see if they have been tampered with. - Requirement 11.3—Perform Internal and External Penetration Testing.
Conduct penetration testing in line with the PCI SSC guidance document, at both the network and application layers at least annually and after any material modification to the environment. - Requirement 12.1.1—Policy Review & Reapproval.
Verify that the information security policy is reviewed at least annually and is updated as needed to reflect changes to business objectives or the risk environment. - Requirement 12.2—Risk Assessment.
Implement a risk assessment process. The process must be performed at least annually; must identify critical assets, threats, and vulnerabilities; and must result in a formal, documented analysis of risk. - Requirement 12.6—Security Awareness Training.
Execute and document the performance of Security Awareness Training to make sure that all personnel are aware of cardholder data security and information security policies and procedures. This must happen at least annually and upon hire. - Requirement 12.6.2—Acknowledgment of Information Security Policy.
Require personnel to acknowledge at least annually that they have read and understood the security policy and procedures. This process should be documented, resulting in an auditable record of annual review/acknowledgement by each employee. - Requirement 12.10.2—IRP Testing.
Review and test the information security Incident Response Plan (IRP) at least annually; include all elements listed in Requirement 12.10.1. Document the execution and results of the test.
At least annually and prior to the annual assessment, the assessed entity should also confirm the accuracy of their PCI DSS scope by identifying all locations and flows of cardholder data, as well as all systems that are connected to—or, if they were to become compromised, could impact—the cardholder data environment (CDE).
With an annual plan – PCI compliance doesn’t have to be a hassle
When you have an annual plan in place and you execute on the plan, it doesn’t take long before your actions become second nature. The same is true for PCI compliance and security best practices.
Engaging a reputable PCI QSA can also make your life easier because they can partner with you to serve as a trusted resource for advice and guidance throughout the year. Our team is here to help out. Contact us here.
Read more on maintaining PCI compliance in our blog: How to maintain PCI compliance