Achieving and maintaining Compliance, the PCI DSS recurring tasks.

Scoping

Conducting activities to confirm the accuracy of the PCI DSS scope, identifying all locations and flows of cardholder data and ensuring they are included in the scope at least annually.

1.1.7

Reviewing firewall and router rule sets at least every six months.

3.1

Performing a review to identify and securely delete stored cardholder data that exceeds defined retention at least quarterly.

3.6.4

Performing cryptographic key changes for keys that have reached the end of their crypto-period. [Ok, so this one can be a bit tenuous dependent upon your encryption algorithms and key strength]

5.1.2

Periodically performing a review of evolving malware threats in order to confirm whether system not commonly affected by virus continue to not require anti-virus software.

5.2

Maintaining anti-virus software (the engine and definitions) and performing periodic scans.

6.6

Reviewing public-facing web applications via manual or automated application vulnerability security assessment tools or methods at least annually. Note: Not applicable if you use a Web Application Firewall

8.1.4

Performing a review of user accounts to remove/disable inactive users at least quarterly.

9.5.1

Conducting a review of the security of locations used to store media backups at least annually.

9.7.1

Performing a review of the media inventories at least annually

9.9.2

Performing periodic physical inspection of POS device surfaces to detect tampering (for example, addition of card skimmers to devices), or substitution (for example, by checking the serial number or other device characteristics to verify it has not been swapped with a fraudulent device)

10.6

Reviewing review of logs and security events for all system components to identify anomalies or suspicious activity at least daily.

10.6.2

Reviewing logs from all other system components periodically based on the organisation’s policies and risk management strategy, as determined by the organisation’s annual risk assessment.

11.1

Test for the presence of all authorised and unauthorised wireless access points on a quarterly basis.

11.2

Conducting vulnerability scans of the internal and external networks at least quarterly.

11.3

Conducting a penetration test that includes a review and consideration of threats and vulnerabilities experienced in the last 12 months at least annually.

11.5

Perform a comparison of critical files using change-detection mechanisms, such as file integrity monitoring software, at least weekly.

12.1.1

Performing a review of the organisation’s security policies at least annually.

12.2

Conducting the organisation’s formal risk assessment at least annually.

12.6.1

Re-educating individuals as part of the organisation’s formal security awareness programme at least annually.

12.6.2

Individuals formally acknowledging that they have read and understood the security policy and procedures at least annually.

12.8.4

Monitor th compliance status of service providers at least annually.

12.10.2

Test the organisation’s the incident response plan/s at least annually.