Have you ever been sitting in meetings with clients and auditors answering questions confidently and in all honesty only to find that your PCI compliance policy’s last review was three years ago?

Have you just found out that you don’t have "clean" vulnerability scans for the previous year?


What happened and how can you fix that?

Most organisations tackled their ISO 27001, PCI DSS compliance and other initiatives as a project. They have achieved compliance and simply closed the project.

Their work should have not stopped there because achieving compliance is an occasional result that doesn't ensure a continual protection.

Don't forget about the PCI DSS recurring tasks.

Absence of evidence doesn't translate into evidence of absence. That's why, in addition to an achieved compliance, organisations must ensure that an appropriate governance of the programme is in place and maintained, in order to ensure a constant compliance level.

What are the right steps to take?

Organisations should start with creating a list of those important recurring tasks from PCI DSS version 3.0. A first step would be to compare that list with the one below and award a point for each one in place.

Requirements Description
Note: Some tasks may be performed more frequently depending upon the environment/organisation
Scoping Conducting activities to confirm the accuracy of the PCI DSS scope, identifying all locations and flows of cardholder data and ensuring they are included in the scope at least annually.
1.1.7 Reviewing firewall and router rule sets at least every six months.
3.1 Performing a review to identify and securely delete stored cardholder data that exceeds defined retention at least quarterly.
3.6.4 Performing cryptographic key changes for keys that have reached the end of their crypto-period. [Ok, so this one can be a bit tenuous dependent upon your encryption algorithms and key strength]
5.1.2 Periodically performing a review of evolving malware threats in order to confirm whether system not commonly affected by virus continue to not require anti-virus software.
5.2 Maintaining anti-virus software (the engine and definitions) and performing periodic scans.
6.6 Reviewing public-facing web applications via manual or automated application vulnerability security assessment tools or methods at least annually. Note: Not applicable if you use a Web Application Firewall
8.1.4 Performing a review of user accounts to remove/disable inactive users at least quarterly.
9.5.1 Conducting a review of the security of locations used to store media backups at least annually.
9.7.1 Performing a review of the media inventories at least annually
9.9.2 Performing periodic physical inspection of POS device surfaces to detect tampering (for example, addition of card skimmers to devices), or substitution (for example, by checking the serial number or other device characteristics to verify it has not been swapped with a fraudulent device)
10.6 Reviewing review of logs and security events for all system components to identify anomalies or suspicious activity at least daily.
10.6.2 Reviewing logs from all other system components periodically based on the organisation’s policies and risk management strategy, as determined by the organisation’s annual risk assessment.
11.1 Test for the presence of all authorised and unauthorised wireless access points on a quarterly basis.
11.2 Conducting vulnerability scans of the internal and external networks at least quarterly.
11.3 Conducting a penetration test that includes a review and consideration of threats and vulnerabilities experienced in the last 12 months at least annually.
11.5 Perform a comparison of critical files using change-detection mechanisms, such as file integrity monitoring software, at least weekly.
12.1.1 Performing a review of the organisation’s security policies at least annually.
12.2 Conducting the organisation’s formal risk assessment at least annually.
12.6.1 Re-educating individuals as part of the organisation’s formal security awareness programme at least annually.
12.6.2 Individuals formally acknowledging that they have read and understood the security policy and procedures at least annually.
12.8.4 Monitor th compliance status of service providers at least annually.
12.10.2 Test the organisation’s the incident response plan/s at least annually.

What’s next?

Well, you can start by considering the following:

  • Who is responsible for performing the PCI DSS recurring task?
    Does the individual or team know what is expected of them? Do they keep track using a schedule or calendar? How do they record when they have performed the task?
  • What can be measured?
    How does someone in your organisation record that they have reviewed logs files and no suspicious events or exceptions to investigate were found?
  • Who is responsible for deciding when to test?
    Someone in your organisation would detect if the individual or team responsible for performing a task has failed to perform the task? Also it is important to discover such problems early so that they can be remediated.
  • How can I test if my measurements are accurate?
    If the individual or team responsible for checking security alerts, do not report that they have had any alerts is it that there were no alerts or that the systems used to generate alerts are not working correctly?
  • What does “good” look like?
    For example, conducting vulnerability scanning on a quarterly basis is quite different from conducting vulnerability scanning on a quarterly basis and obtaining ‘passing’ scans.
Marco Borza

Written by Marco Borza

I am the Founder of Advantio.
Technology has been my passion since I was a kid; when I first heard the handshake of an old 300bps modem I realised security would be key in an interconnected world. Since then it has become my passion and primary focus.
The reason why I've started my own business is to make IT Security simple.

Certifications: CISSP / CCSA (Checkpoint) / ITIL Foundations / ACSA (ArcSight)/ Linux+/ PCI-QSA / PA-QSA