Skip to Main Content
April 28, 2020

Payment Card Industry (PCI) - Recurring Requirements Require Attention!

Written by Jonathan White
PCI Assessment Program Assessment & Compliance

There are certain items contained within the 12 PCI requirements that have to be performed based on defined frequencies. In my experience, companies sometimes struggle with adhering to some if not all of these items. There are a number of reasons that this might happen, whether it's related to employee turnover, unfamiliarity with the items, or just plain neglect. I felt inclined to offer some suggestions to help the process.

The first recommendation is for the responsible person(s) to familiarize themselves with the frequency-defined requirements. Searching through the PCI Report on Compliance template, located at: https://www.pcisecuritystandards.org/document_library, for words such as ‘day,’ ‘daily,’ ‘week,’ ‘month,’ ‘quarter,’ ‘annual,’ ‘frequency,’ and ’year’ should find most if not all of the items. Keep in mind that this will uncover those frequencies defined by the PCI Council, however, there will be other frequencies defined by your company’s internal policies (e.g. how often a company inspects their Point of Sale (POS) terminals for tampering).

Another recommendation would be to have multiple employees assigned to review compliance, ensuring the tasks are performed based on the defined frequency. If it’s not feasible to assign multiple employees, at least assign a primary and a backup. This way, if a person is on vacation or leaves the company, the alternate still has a chance to execute the steps and prevent the risk of non-compliance.

A final recommendation is to set up some kind of recurring notification alert prior to the frequency deadline. The person(s) responsible for PCI compliance won't necessarily need a robust system for notifications such as ticketing systems (e.g. Jira, ServiceNow) or GRC tools. The responsible person(s) can simply set up email calendar reminders to ensure the checks are performed. It wouldn’t hurt to set up a backup reminder, sort of like a snooze button on an alarm clock - we all can get busy and sometimes miss reminders.

Below is a list of some items with defined frequencies. Please note this is not an all-inclusive list and that there are additional requirements for Service Providers:

FrequencyRequirementTasks to Perform
Daily10.6.1Daily log reviews of critical systems.
Weekly11.5Critical file comparisons (e.g. File Integrity Monitoring).
Monthly6.2Install critical patches
Quarterly11.1Test for presence of wireless access points.
Quarterly11.2Run internal and external vulnerability scans.
Quarterly11.2.2Perform external vulnerability scans via an Approved Scanning Vendor (ASV).
Every three (3) months8.1aObserve and review inactive user accounts.
Every three (3) months8.2.4Change user password/passphrases at least once every 90 days.
Every six (6) months1.1.7Review firewall rulesets (if applicable).
Annually6.5aTrain developers on secure coding practices.
Annually11.3.1 and 11.3.2Perform an internal and external penetration tests (note: Service Providers must perform tests every 6 months).
Annually12.1.1Review the company security policy.
Annually12.2Perform a risk assessment.
Annually12.6Administer employee security awareness training.
Annually12.8.4Maintain a program to monitor service providers' PCI DSS compliance status.
Annually12.10Review and test the incident response plan.

Ensuring that frequency-defined requirements are complete is always easier than building a time machine for a missed item. For most customers, a non-compliant RoC is not an option, especially if the non-compliance was a result of overlooking frequency-based items that could have easily been performed.

You can refer to the Payment Card Industry Data Security Standard here https://www.pcisecuritystandards.org for all frequency-defined requirements and more information.