Knowledge

6/14/2022

Mandatory Manual Reviews and Audits – PCI Requirements.

Digital Edge's Compliance team has noticed that organizations and IT/compliance groups lack understanding of mandates for scheduled reviews and audits.

Each cybersecurity standard or framework has its own unique requirements. This article provides information on minimal required reviews and audits by PCI standard.

PCI review schedule:

 

Description of review

Frequency

Evidence

1

Review firewall and router configuration standards that formalize testing whenever configurations change; that identify all connections between the cardholder data environment and other networks (including wireless) with documentation and diagrams; 

that document business justification and various technical settings for each implementation; that diagram all cardholder data flows across systems and networks.

every 6 months

Results of the review in the form of report (can be short or detailed report)

2

Review firewall and router configurations that restrict all traffic, inbound and outbound, from “untrusted” networks (including wireless) and hosts, and specifically deny all other traffic except for 

protocols necessary for the cardholder data environment.

every 6 months

Results of the review in the form of report (can be short or detailed report)

3

Review that direct public access exists between the Internet and any system component in the cardholder data environment.

every 6 months

Results of the review in the form of report (can be short or detailed report)

4

Review of personal firewall software or equivalent functionality on any devices (including company and/or employee owned) that connect to the Internet when outside the network (for example, 

laptops used by employees), and which are also used to access the cardholder data environment.

every 6 months

Results of the review in the form of report (can be short or detailed report)

5

Review of related security policies and operational procedures.

every 6 months

Results of the review in the form of report (can be short or detailed report)

6

Review of passwords and accounts so they are notvendor-supplied defaults and unnecessary default accounts.

 

every 3 months

Results of the review in the form of report (can be short or detailed report)

7

Perform internal and external vulnerability assessment based on latest industry standards.

every 3 months

Results of the review in the form of detailed report

8

Cryptography review for encryption of all non-console administrative access.

every 3 months

Results of the review in the form of report (can be short or detailed report)

9

Inventory review for availability of system components which fall under scope of PCI DSS

every 6 months

Results of the review in the form of detailed report

10

Review of shared hosting providers, which must protect each entity’s hosted environment and cardholder data.

every 6 months

Results of the review in the form of report (can be short or detailed report)

11

Review of stored cardholder data in respect of necessity of store the data, time of storage.

every 3 months

- Results of the review in the form of report (can be short or detailed report) and/or

- Screenshot

12

Review of data purges performed.

every 3 months

- Results of the review in the form of report (can be short or detailed report)

- Screenshot

13

Check that no sensitive data is stored after the authentication is performed. If sensitive data is stored review its security and business reason for storing.

every 3 months

- Results of the review in the form of report (can be short or detailed report)

- Screenshot

14

Check whether:

A. PAN is displayed correctly showing not more than first six/last four digits of the PAN;

B. PAN is unreadable anywhere it is stored – including on portable digital media, backup media, in logs, and data received from or stored by wireless networks;

C. full PAN is not sent by end user messaging technologies (for example, e-mail, instant messaging, SMS, chat, etc.)

every 3 months

- Results of the review in the form of report (can be short or detailed report)

- Screenshot

15

Review of cryptography and security protocols to safeguard sensitive cardholder data during transmission over open, public networks (e.g. Internet, wireless technologies, cellular technologies, 

General Packet Radio Service [GPRS], satellite communications). Ensure wireless networks transmitting cardholder data or connected to the cardholder data environment use industry best practices to implement strong encryption for authentication and transmission.

every 3 months

- Results of the review in the form of report (can be short or detailed report)

- Screenshot

16

Review anti-virus software on all systems commonly affected by malicious software (particularly personal computers and servers).

Check:

A. That all anti-virus mechanisms are kept current, perform periodic scans, generate audit logs, which are retained per PCI DSS Requirement 10.7.

B. That anti-virus mechanisms are actively running and cannot be disabled or altered by users, unless specifically authorized by management on a case-by-case basis for a limited time period.

every month

- Results of the review in the form of report (can be short or detailed report)

- Screenshot

17

Patching review to check whether all system components and software have recent security patches from vendors. Critical security patches should be installed within one month of release.

every month

- Results of the review in the form of report (can be short or detailed report)

- Screenshot

18

Conduct training to developers on secure coding techniques and developing applications based on secure coding guidelines – 

including how sensitive data is handled in memory.

every 12 months

- Results of the review in the form of report (can be short or detailed report)

- Screenshot

19

User access review to check whether access is granted to system components and cardholder data to only those individuals whose job requires such access.

every 3 months

- Results of the review in the form of report (can be short or detailed report)

- Screenshot

20

Review of access to system components so each user has unique ID, access is restricted by tasks required to be performed.

every 3 months

- Results of the review in the form of report (can be short or detailed report)

- Screenshot

21

Physical access review to check:

A. which access have employees and visitors 

B. how visitors are monitored and accompanied in areas

C. how media is stored

D. how “switching” of card reading equipment can be avoided 

every 6 months

- Results of the review in the form of report (can be short or detailed report)

- Screenshot

22

Audit logs review to check:

A. activities of each user

B. whether logs cannot be changed

C. whether audit trail for 12 months is available (12 month trail should be available with immediate access to 3 months trail)

every 3 months

- Results of the review in the form of report (can be short or detailed report)

- Screenshot

22

Critical logs review

daily

Report of screenshot

23

Penetration test of security system

every 12 months

Results of the review in the form of detailed report

24

Review of weekly critical files comparison for changing of files and configurations (file integrity).

every month

- Results of the review in the form of report (can be short or detailed report)

- Screenshot

25

Risk assessment that identifies critical assets, threats, and vulnerabilities, and results in a formal assessment

every 12 month

Results of the review in the form of detailed report

26

Security awareness program to make all personnel aware of the cardholder data security policy and procedures

every 12 month

Results of the review in the form of detailed report

27

Review of incident response plan

every 12  months

- Results of the review in the form of report (can be short or detailed report)

- Screenshot

28

Service providers review to confirm that personnel are following security policies and operational procedures.

Every 3  months

- Results of the review in the form of report (can be short or detailed report)

- Screenshot

29

Network segmentation review

every 12 month

Results of the review in the form of report (can be short or detailed report)

30

Self-Assessment Questionnaire

every 12 month

Results of the review in the form of detailed report

31

PCI DSS Report on Compliance

every 12 month

Results of the review in the form of detailed report

Michael Petrov
Founder, Chief Executive Officer

Michael brings 30 years of experience as an information architect, optimization specialist and operations’ advisor. His experience includes extensive high-profile project expertise, such as mainframe and client server integration for Mellon Bank, extranet systems for Sumitomo Bank, architecture and processing workflow for alternative investment division of US Bank. Michael possesses advanced knowledge of security standards such as ISO 27001, NIST, SOC and PCI that brings into any solutions delivered by Digital Edge. Security solutions and standards are expended into public cloud such as AWS and Azure.

Was this article helpful?