Digital Edge's Compliance team has noticed that organizations and IT/compliance groups lack understanding of mandates for scheduled reviews and audits.
Each cybersecurity standard or framework has its own unique requirements. This article provides information on minimal required reviews and audits by PCI standard.
PCI review schedule:
|
Description of review |
Frequency |
Evidence |
1 |
Review firewall and router configuration standards that formalize testing whenever configurations change; that identify all connections between the cardholder data environment and other networks (including wireless) with documentation and diagrams; that document business justification and various technical settings for each implementation; that diagram all cardholder data flows across systems and networks. |
every 6 months |
Results of the review in the form of report (can be short or detailed report) |
2 |
Review firewall and router configurations that restrict all traffic, inbound and outbound, from “untrusted” networks (including wireless) and hosts, and specifically deny all other traffic except for protocols necessary for the cardholder data environment. |
every 6 months |
Results of the review in the form of report (can be short or detailed report) |
3 |
Review that direct public access exists between the Internet and any system component in the cardholder data environment. |
every 6 months |
Results of the review in the form of report (can be short or detailed report) |
4 |
Review of personal firewall software or equivalent functionality on any devices (including company and/or employee owned) that connect to the Internet when outside the network (for example, laptops used by employees), and which are also used to access the cardholder data environment. |
every 6 months |
Results of the review in the form of report (can be short or detailed report) |
5 |
Review of related security policies and operational procedures. |
every 6 months |
Results of the review in the form of report (can be short or detailed report) |
6 |
Review of passwords and accounts so they are notvendor-supplied defaults and unnecessary default accounts.
|
every 3 months |
Results of the review in the form of report (can be short or detailed report) |
7 |
Perform internal and external vulnerability assessment based on latest industry standards. |
every 3 months |
Results of the review in the form of detailed report |
8 |
Cryptography review for encryption of all non-console administrative access. |
every 3 months |
Results of the review in the form of report (can be short or detailed report) |
9 |
Inventory review for availability of system components which fall under scope of PCI DSS |
every 6 months |
Results of the review in the form of detailed report |
10 |
Review of shared hosting providers, which must protect each entity’s hosted environment and cardholder data. |
every 6 months |
Results of the review in the form of report (can be short or detailed report) |
11 |
Review of stored cardholder data in respect of necessity of store the data, time of storage. |
every 3 months |
- Results of the review in the form of report (can be short or detailed report) and/or - Screenshot |
12 |
Review of data purges performed. |
every 3 months |
- Results of the review in the form of report (can be short or detailed report) - Screenshot |
13 |
Check that no sensitive data is stored after the authentication is performed. If sensitive data is stored review its security and business reason for storing. |
every 3 months |
- Results of the review in the form of report (can be short or detailed report) - Screenshot |
14 |
Check whether: A. PAN is displayed correctly showing not more than first six/last four digits of the PAN; B. PAN is unreadable anywhere it is stored – including on portable digital media, backup media, in logs, and data received from or stored by wireless networks; C. full PAN is not sent by end user messaging technologies (for example, e-mail, instant messaging, SMS, chat, etc.) |
every 3 months |
- Results of the review in the form of report (can be short or detailed report) - Screenshot |
15 |
Review of cryptography and security protocols to safeguard sensitive cardholder data during transmission over open, public networks (e.g. Internet, wireless technologies, cellular technologies, General Packet Radio Service [GPRS], satellite communications). Ensure wireless networks transmitting cardholder data or connected to the cardholder data environment use industry best practices to implement strong encryption for authentication and transmission. |
every 3 months |
- Results of the review in the form of report (can be short or detailed report) - Screenshot |
16 |
Review anti-virus software on all systems commonly affected by malicious software (particularly personal computers and servers). Check: A. That all anti-virus mechanisms are kept current, perform periodic scans, generate audit logs, which are retained per PCI DSS Requirement 10.7. B. That anti-virus mechanisms are actively running and cannot be disabled or altered by users, unless specifically authorized by management on a case-by-case basis for a limited time period. |
every month |
- Results of the review in the form of report (can be short or detailed report) - Screenshot |
17 |
Patching review to check whether all system components and software have recent security patches from vendors. Critical security patches should be installed within one month of release. |
every month |
- Results of the review in the form of report (can be short or detailed report) - Screenshot |
18 |
Conduct training to developers on secure coding techniques and developing applications based on secure coding guidelines – including how sensitive data is handled in memory. |
every 12 months |
- Results of the review in the form of report (can be short or detailed report) - Screenshot |
19 |
User access review to check whether access is granted to system components and cardholder data to only those individuals whose job requires such access. |
every 3 months |
- Results of the review in the form of report (can be short or detailed report) - Screenshot |
20 |
Review of access to system components so each user has unique ID, access is restricted by tasks required to be performed. |
every 3 months |
- Results of the review in the form of report (can be short or detailed report) - Screenshot |
21 |
Physical access review to check: A. which access have employees and visitors B. how visitors are monitored and accompanied in areas C. how media is stored D. how “switching” of card reading equipment can be avoided |
every 6 months |
- Results of the review in the form of report (can be short or detailed report) - Screenshot |
22 |
Audit logs review to check: A. activities of each user B. whether logs cannot be changed C. whether audit trail for 12 months is available (12 month trail should be available with immediate access to 3 months trail) |
every 3 months |
- Results of the review in the form of report (can be short or detailed report) - Screenshot |
22 |
Critical logs review |
daily |
Report of screenshot |
23 |
Penetration test of security system |
every 12 months |
Results of the review in the form of detailed report |
24 |
Review of weekly critical files comparison for changing of files and configurations (file integrity). |
every month |
- Results of the review in the form of report (can be short or detailed report) - Screenshot |
25 |
Risk assessment that identifies critical assets, threats, and vulnerabilities, and results in a formal assessment |
every 12 month |
Results of the review in the form of detailed report |
26 |
Security awareness program to make all personnel aware of the cardholder data security policy and procedures |
every 12 month |
Results of the review in the form of detailed report |
27 |
Review of incident response plan |
every 12 months |
- Results of the review in the form of report (can be short or detailed report) - Screenshot |
28 |
Service providers review to confirm that personnel are following security policies and operational procedures. |
Every 3 months |
- Results of the review in the form of report (can be short or detailed report) - Screenshot |
29 |
Network segmentation review |
every 12 month |
Results of the review in the form of report (can be short or detailed report) |
30 |
Self-Assessment Questionnaire |
every 12 month |
Results of the review in the form of detailed report |
31 |
PCI DSS Report on Compliance |
every 12 month |
Results of the review in the form of detailed report |