Home > Information Security, PCI > Set and Don’t Forget

Set and Don’t Forget

I am also the editor of the Neohapsis Labs blog. The following is reprinted with permission from

By Patrick Harbauer, Neohapsis Senior Security Consultant and PCI Technical Lead

There are several PCI DSS requirements that are related to tasks that must be performed on a regular basis. The frequency of these tasks varies from daily to annual. There are also a few requirements that make it important to have PCI DSS compliant data retention policies and procedures in place. An example of a requirement that calls for a task to be performed periodically is requirement 11.2.2: Perform quarterly external vulnerability scans via an Approved Scanning Vendor (ASV). An example of a requirement the calls for compliant data retention policies and procedures is requirement 9.4: Use a visitor log to maintain a physical audit trail of visitor activity. Retain this log for a minimum of three months, unless otherwise restricted by law. If processes or checklists are not in place to track your compliance with these reoccurring tasks, you may be in for an unpleasant surprise during your next annual ROC assessment.

Are You Certifiable?

11.2.2 is one of the classic requirements where we see this happen all too often. When we ask a customer if we can review the certified, passing ASV scans from the last four quarters and we get a response such as, “Oops, Susie was responsible for that and she was reassigned to a different department…” we stick our fingers in our ears and say “la la la la” but that hasn’t ever made the problem go away. Unfortunately, when this happens, instead of a 10 minute conversation reviewing 4 certified and passing ASV scans, we have to buy a few pizza’s, cross our fingers and review several external vulnerability scan reports in hopes that the customer can demonstrate they are scanning and remediating to meet the spirit and intent of requirement 11.2.2.

A Ruleset Only a Mother Could Love

We have seen some very ugly firewall rule sets. We do understand that the business must be able to function and exists to make as large a profit as possible – not to sing the praises of PCI. But as QSA’s, we do need to see six month firewall and router rule set reviews and evidence that the rule sets are being maintained with good hygiene. Maintaining clean and healthy firewall rule sets is similar to a good exercise regimen. If your doctor gives you a daily exercise program to maintain your health and you follow it in a haphazard fashion, your doctor is not going to be able to give you a good health report upon your next doctor’s visit. Similarly, you need a solid program in place to make sure that your firewall rule sets remain healthy and only allow the outbound and inbound network traffic that is actually needed and authorized. And let’s face it, automation is needed for most organizations to manage their firewall and router rule sets effectively. Fortunately there are several excellent solutions available on the market that give you the ability to manage your firewall and router rule sets. For example, these solutions can analyze your rule sets to find overlapping and redundant rules, rules that have not been used over that last X days or rules that allow “any” access – a big PCI no-no. They can also provide the change control mechanisms needed to make sure that changes to firewall rule sets are reviewed and approved by authorized individuals and are properly documented so that rule sets are closely and properly managed.

“The Matrix”

To assist you with making sure that your security program is giving proper attention to specific PCI requirements, we are providing the following two lists. These can be used to create a matrix, review your security operations and to correct any gaps that you may uncover. List 1 covers the frequency with which tasks must be performed related to specific PCI DSS requirements. List 2 shows data retention periods tied to specific requirements. With a little planning, you can keep your PCI compliance on track at all times and avoid unpleasant surprises when your friendly QSA shows up for your next ROC assessment!

List 1 – Recurring PCI Compliance Tasks

1.1.6 – Review firewall and router rule sets (Every 6 Months)

3.1.1 – Automatic or manual process for identifying and securely deleting stored cardholder data (Quarterly)

6.1 – All system components and software are protected from known vulnerabilities (Monthly)

6.6 – Address new threats and vulnerabilities for public-facing web applications (At least annually and after any changes)

8.5.5 – Remove/disable inactive user accounts (Quarterly)

9.5 – Review security of backup media storage location (Annually)

9.9.1 – Properly maintain inventory logs of all media and conduct media inventories (Annually)

10.6 – Review logs for all system components (Daily)

11.1 – Test for the presence of wireless access points and detect unauthorized wireless access points (Quarterly)

11.2.1 – Perform internal vulnerability scans (Quarterly)

11.2.2 – Perform external vulnerability scans via an Approved Scanning Vendor (Quarterly)

11.2.3 – Perform internal and external scans (After any significant change)

11.3 – Perform external and internal penetration testing (At least once a year and after any significant infrastructure or application upgrade or modification)

11.5 – Deploy file-integrity monitoring tools and perform critical file comparisons (Weekly)

12.1.2 – Perform and document a formal risk assessment (Annually)

12.1.3 – Review security policy and update when the environment changes (Annually)

12.2 – Develop daily operational security procedures (Daily)

12.6.1 – Educate personnel (Upon hire and at least annually)

12.6.2 – Require personnel to acknowledge that they have read and understand the security policy and procedures (Annually)

12.8.4 – Maintain a program to monitor service providers’ PCI DSS compliance status (Annually)

List 2 – Data Retention Periods

9.1.1 – Store video camera and/or controls mechanism log (3 months)

9.4 – Retain visitor logs (3 months)

10.7 – Retain audit trail history (1 year)

Categories: Information Security, PCI
  1. October 17, 2013 at 8:27 pm

    I’m curious to find out what blog platform you’re utilizing?
    I’m having some minor security problems with my latest blog
    and I’d like to find something more safeguarded.
    Do you have any recommendations?

  2. October 17, 2013 at 10:58 pm

    First off I want to say awesome blog! I had a quick
    question which I’d like to ask if you don’t mind.
    I was curious to find out how you center yourself and clear your thoughts before writing.

    I’ve had a difficult time clearing my thoughts in getting my
    ideas out there. I do take pleasure in writing however it just seems like the first 10
    to 15 minutes are usually lost simply just trying to figure out
    how to begin. Any ideas or tips? Kudos!

  3. August 8, 2014 at 7:43 am

    Hi my loved one! I wish to say that this post is awesome,
    nice written and include almoswt all vital infos. I would like to look extr
    posts like this .

  4. August 11, 2014 at 3:08 pm

    This article provides clear idea in suhpport of the new users of blogging, that genuinely how to do blogging.

  5. August 14, 2014 at 7:00 am

    Asking qestions are genuinely good thing iff you arre not understandinbg something fully, buut tis paragraph offers nice understanding yet.

  6. August 15, 2014 at 8:12 pm

    I’ve been browsing on-line greater than 3 hours these days, yet I never
    found any fascinating article like yours.
    It’s beautiful price sufficient for me. In my view, if all webmasters and bloggers made excellent content material as you
    did, the web will probably be a lot more helpful than ever before.

  7. August 15, 2014 at 8:31 pm

    This websiute was… how do you say it? Relevant!! Finally
    I’ve found something which helped me. Thanks a lot!

  8. contract wars cheats
    August 16, 2014 at 9:00 pm

    However, this does not mean that you throw a meaty fastball on the middle with the plate.
    Article Source: Katz is an amateur gambler who had gained vast experience in casino gambling
    and online casino gambling. There are innumerable sites offering different kinds of gaming options which
    one can start to play and share online web-sites. Many flash games are already developed to match the needs of every age group of players.
    Powered attack strategy is one with the most effective
    strategies. This is largely owed that there have been an increased amount of fans seeking to
    try out them. The Best Free Roulette System Reveals How To Win At Roulette.

    The reply to other questions you can find by reading our site and our community
    support and investigation zone. Online games tend to boost your cooperative participation because it allows you to use other people.
    The Online Rpg games, as they’re called, are often difficult to find- particularly the ones that are top quality
    games. This game would be a masterpiece engaging open plotline
    joined with vast quantity of different options as well as some valid types of play made this an excellent
    game plus my opinion the highest turn based strategy coming from all time.
    Ensure you never skip reading this article important strategy.
    Players score points by encircling territory and capturing their opponent’s pieces.
    Whenever it really is found, the search is always deemed worth it.
    For example: in the event the latest addition with a racing game franchise
    comes out around the market, it’s be formatted to get played
    on PS3, Xbox360, Wii, Nintendo DS, and intended for PSP download.
    If you happen to be in a position to conduct pursuit well, you have to be able to discover
    the most appropriate mind games which will boost your
    thinking, cognitive ability, reaction time,
    improve your memory plus improve other skills required for growth
    and development. the zone invasions that occur, when one of
    them invasions starts the whole. Still, there are particular games, which needs downloading.
    Allow your children to learn games with only
    known players. Lack of versatility: Computers are capable of doing whole large amount
    of things besides supporting online flash games.
    Though neither the real time battles nor the turn based strategy were as detailed or accurate as games focused
    on those the mixture of the two made the overall game far more interesting.
    The sun and rain of the strategy game will be the gaming gamers, the
    territory, the aim, the policies. Some of the games may
    also be becoming conversant with ” new world ” technologies including the 3D
    and playing these games is now increasingly more attractive.

    Dates including birthdays and anniversaries will often be included on lotto tickets while they believe on numbers closest to their hearts will bring them luck.
    However, many girls are going for the light sprite option, as these dolls are viewed as
    of as fantastic and amazing.

  9. August 20, 2014 at 6:23 pm

    I sit in my cozy chair with a fire pit table in front of
    me writing about my adventure. Don’t fool yourself into thinking that this is a trivial task as it is not
    as simple as it sounds. This means that you must estimate how many cheat codes for candy crush saga on facebook
    bars you will need.

  10. August 25, 2014 at 8:54 pm

    The selective prelaunch cost of these condo available to be purchased at Gulshan Bellina Noida Extension is said to associate
    with Rs. The rich areas at Bellina by Gulshan Homz incorporate
    diverse sorts of living spaces which may join 2 BHK and
    3 BHK condominium accessible to be bought in Noida Extension.
    The central territory moreover allows straightforward access to diverse parts of the National Capital Region including
    Greater Noida, Ghaziabad and furthermore Delhi.

  11. September 2, 2014 at 7:44 pm

    What’s up, I log on to your blog daily. Your humoristic style is witty, keep doing what you’re doing!

  12. September 6, 2014 at 1:58 pm

    I’m gone to inform my little brother, that he should also pay a quick visit this
    blog on regular basis to get updated from most recent information.

  13. October 4, 2014 at 12:21 am

    Every weekend i used to visit this web page, because i want enjoyment, since this this
    site conations actually fastidious funny information too.

  1. No trackbacks yet.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: