Friday, February 26, 2010

Periodic PCI Compliance Activities

I am often asked what are the activities companies must perform between PCI assessments in order to remain compliant with the PCI standard. Many people would be surprised to find out that the PCI DSS outlines the specific tasks companies must be doing all the time. The following activities were taken directly from the PCI DSS Version 1.2.1 and outline the periodic procedures companies must take to stay compliant:


3.6.4 Periodic cryptographic key changes:

  • As deemed necessary and recommended by the associated application (for example, re-keying); preferably automatically
  • At least annually

6.6 For public-facing web applications, address new threats and vulnerabilities on an ongoing basis and ensure these applications are protected against known attacks by either of the following methods:

  • Reviewing public-facing web applications via manual or automated application vulnerability security assessment tools or methods, at least annually and after any changes.
  • Installing a web-application firewall in front of public-facing web applications.

9.5 Store media back-ups in a secure location, preferably an off-site facility such as an alternate or backup site or a commercial storage facility. Review the location’s security at least annually.

9.9.1 Properly maintain inventory logs of all media and conduct media inventories at least annually.

11.3 Perform external and internal penetration testing at least once a year and after any significant infrastructure or application upgrade or modification.

12.1.2 Annual process that identifies threats, vulnerabilities, and results in a formal risk assessment.

12.1.3 Perform a Security Policy review at least once a year and update when the environment changes.

12.6.1 Educate employees upon hire and at least annually.

12.6.2 Require employees to acknowledge at least annually that they have read and understood the company’s security policy and procedures.

12.9.2 Test Incident Response Plan at least annually.


1.1.6 Review firewall and router rule sets at least every six months.


8.5.5 Remove/disable inactive user accounts at least every 90 days.

8.5.9 Change user passwords at least every 90 days.

9.1.1 Use video cameras or other access control mechanisms to monitor individual physical access to sensitive areas. Review collected data and correlate with other entries. Store for at least three months, unless otherwise restricted by law.

11.1 Test for the presence of wireless access points by using a wireless analyzer at least quarterly or deploy a wireless IDS/IPS to identify all wireless devices in use.

11.2 Run internal and external network vulnerability scans at least quarterly and after any significant change in the network (such as new system component installations, changes in network topology, firewall rule modifications, product upgrades).


11.5 Deploy file integrity monitoring software to alert personnel to unauthorized modification of critical system files, configuration files or content files; and configure the software to perform critical file comparisons at least weekly.


10.6 Review logs for all system components at least daily. Log reviews must include those servers that perform security functions like intrusion detection system (IDS) and authentication, authorization, and accounting protocol (AAA) servers (for example, RADIUS).

12.2 Develop daily operational security procedures that are consistent with requirements in this specification (for example, user account maintenance procedures, and log review procedures).


8.5.3 Set first-time passwords to a unique value for each user and change immediately after the first use.

8.5.4 Immediately revoke access for any terminated users.

12.3.9 Activation of remote-access technologies for vendors only when needed by vendors, with immediate deactivation after use.

Not specified, but suggest annually

12.8.4 Maintain a program to monitor service providers’ PCI DSS compliance status.

Read more!