Many organizations struggle to keep up with the PCI compliance. We walk through three key areas and share a resource with over 57 requirements to check off and the related timeframes prescribed by the PCI DSS that you need to adhere to.
Credit card, debit card, and other financial data are extremely valuable, both to the people it belongs to and to cybercriminals. Like personally identifiable information (PII), financial data can be used for malicious purposes, which is why the Payment Card Industry Data Security Standard (PCI DSS) exists. Organizations that are PCI compliant demonstrate to customers, vendors, and partners that they take payment card security seriously—and this is nonnegotiable in today’s increasingly mobile, global, and remote landscape.
Yet maintaining PCI compliance is a challenge for many organizations. In fact, a surprisingly low number of organizations comply fully: In 2019, only 27.9 percent of organizations were fully in compliance with PCI DSS during interim validation and required some form of remediation, according to the 2020 Verizon Payment Security Report.
From small to midsize businesses (SMBs) to large enterprises, keeping track of all the daily, monthly, yearly, and other PCI requirements can be difficult. Many organizations fall behind or lose track of activities. This means that when it comes time to demonstrate compliance, it’s a scramble.
Given this, we have created PCI DSS by Numbers: A Cheat Sheet of Timeframes to Meet PCI DSS Requirements. Our cheat sheet breaks down the 57 core PCI DSS requirements that have timeframes associated with them and clarifies when they need to happen. This interactive cheat sheet lets you flip through the different types of timeframes you need to be aware of when it comes to PCI DSS:
- Response times: How quickly you need to respond to issues, incidents or important events
- Expirations: How long until items like policies, system hardening documents, or authentication passwords expire and must be updated
- Recurrences: How frequently information should be evaluated or tasks should be performed
- Retention: How long you need to hold on to sensitive or archived information
PCI DSS by Numbers gives a complete view of the timelines PCI DSS demands, but in this post, we wanted to explore three areas of security that have numerous milestones to meet in their own right. Each of these areas are fundamental for any organization, and all must be addressed regularly. Read on to learn more about why your organization needs to hit them.
Effectively Manage Logs
Logs are an important part of an organization’s security posture. By keeping a record of all activity within their systems, organizations can more easily identify cybersecurity threats and investigate what happened, why, how, and by who.
PCI DSS includes several requirements around log collection, analysis, and management, such as:
- Daily: Review all logs, including all security events; any logs that involve cardholder data (CHD) and/or sensitive authentication data (SAD); critical components; servers and security elements, such as firewalls.
- Three Months: At this point, a trail log should be available internally for analysis. The organization should also be maintaining visitor logs.
- Annually: Review media inventory logs to ensure that periodic assessments of your media and storage assets are taking place.
- Periodically: While the timing will depend on the organization’s risk levels, periodic log reviews include components not covered in the daily log review.
Passwords are an important security measure, but they must be strong and well protected. PCI DSS requirements for passwords span various timeframes and scenarios, but all are aimed at ensuring that passwords are carefully managed so that only legitimate users have access to corporate systems.
For example, password-related requirements include:
- Immediately: If a user is terminated, their access must be revoked without delay.
- 30 Minutes: If a password times out, accounts should lock users out for 30 minutes.
- 90 Days: Every 90 days, organizations should prompt their users to change their passwords.
- At First Use: If someone is using the system for the first time, they should be prompted to change their new or forgotten password.
- Minimum Length: To be PCI DSS compliant, passwords should be at least seven characters long.
- Lockouts: If a password has been incorrectly attempted six times, the system should lock the user out.
- Periodically: While the exact time frame is up to the organization’s discretion, non-consumer customer users should be prompted to change their passwords from time to time. This requirement applies only to service providers.
Conduct Regular Segmentation Testing and Vulnerability Scans
Organizations can only protect what they can see. Vulnerability scanning is a valuable tool for organizations to understand the weaknesses in their security postures and remedy them before a threat actor uncovers them.
Vulnerability scanning must be conducted at least every quarter according to PCI DSS, and both internal and external penetration testing should take place at least annually, although many organizations choose to do pen testing more frequently. Under PCI DSS, penetration testing is also required if there is a significant change to the system, such as an infrastructure upgrade or sub-system replacement.
To comply with PCI DSS year-round, organizations should ensure the following schedule is being followed:
- Six Months: Service providers must conduct penetration tests on their segmentation controls. Non-service providers are exempt.
- Annually: All organizations should perform internal and external penetration testing, as well as penetration testing on their segmentation methods.
- After Significant Changes: In these cases, organizations must conduct the same testing as the step above: internal, external, and segmentation method penetration testing.
Dive Deeper into PCI DSS Compliance
As you can see, cybersecurity is a continuous practice. Each area of focus named above requires attention year-round—sometimes in frequent intervals, and sometimes annually.
Organizations that plan ahead, anticipate timelines, and keep up with activities are much more likely to succeed at maintaining PCI DSS compliance, giving their customers, partners, and other stakeholders reassurance that payment card security is top of mind. The three areas above are only a small subset of the requirements for PCI DSS compliance. Explore our full PCI DSS requirement timeframe cheat sheet for a list your organization can use to stay ahead and stay compliant.