By Patrick Harbauer, Neohapsis Senior Security Consultant and PCI Technical Lead
There are several PCI DSS requirements that are related to tasks that must be performed on a regular basis. The frequency of these tasks varies from daily to annual. There are also a few requirements that make it important to have PCI DSS compliant data retention policies and procedures in place. An example of a requirement that calls for a task to be performed periodically is requirement 11.2.2: Perform quarterly external vulnerability scans via an Approved Scanning Vendor (ASV). An example of a requirement the calls for compliant data retention policies and procedures is requirement 9.4: Use a visitor log to maintain a physical audit trail of visitor activity. Retain this log for a minimum of three months, unless otherwise restricted by law. If processes or checklists are not in place to track your compliance with these reoccurring tasks, you may be in for an unpleasant surprise during your next annual ROC assessment.
Are You Certifiable?
11.2.2 is one of the classic requirements where we see this happen all too often. When we ask a customer if we can review the certified, passing ASV scans from the last four quarters and we get a response such as, “Oops, Susie was responsible for that and she was reassigned to a different department…” we stick our fingers in our ears and say “la la la la” but that hasn’t ever made the problem go away. Unfortunately, when this happens, instead of a 10 minute conversation reviewing 4 certified and passing ASV scans, we have to buy a few pizza’s, cross our fingers and review several external vulnerability scan reports in hopes that the customer can demonstrate they are scanning and remediating to meet the spirit and intent of requirement 11.2.2.
A Ruleset Only a Mother Could Love
We have seen some very ugly firewall rule sets. We do understand that the business must be able to function and exists to make as large a profit as possible – not to sing the praises of PCI. But as QSA’s, we do need to see six month firewall and router rule set reviews and evidence that the rule sets are being maintained with good hygiene. Maintaining clean and healthy firewall rule sets is similar to a good exercise regimen. If your doctor gives you a daily exercise program to maintain your health and you follow it in a haphazard fashion, your doctor is not going to be able to give you a good health report upon your next doctor’s visit. Similarly, you need a solid program in place to make sure that your firewall rule sets remain healthy and only allow the outbound and inbound network traffic that is actually needed and authorized. And let’s face it, automation is needed for most organizations to manage their firewall and router rule sets effectively. Fortunately there are several excellent solutions available on the market that give you the ability to manage your firewall and router rule sets. For example, these solutions can analyze your rule sets to find overlapping and redundant rules, rules that have not been used over that last X days or rules that allow “any” access – a big PCI no-no. They can also provide the change control mechanisms needed to make sure that changes to firewall rule sets are reviewed and approved by authorized individuals and are properly documented so that rule sets are closely and properly managed.
To assist you with making sure that your security program is giving proper attention to specific PCI requirements, we are providing the following two lists. These can be used to create a matrix, review your security operations and to correct any gaps that you may uncover. List 1 covers the frequency with which tasks must be performed related to specific PCI DSS requirements. List 2 shows data retention periods tied to specific requirements. With a little planning, you can keep your PCI compliance on track at all times and avoid unpleasant surprises when your friendly QSA shows up for your next ROC assessment!
List 1 – Recurring PCI Compliance Tasks
1.1.6 – Review firewall and router rule sets (Every 6 Months)
3.1.1 – Automatic or manual process for identifying and securely deleting stored cardholder data (Quarterly)
6.1 – All system components and software are protected from known vulnerabilities (Monthly)
6.6 – Address new threats and vulnerabilities for public-facing web applications (At least annually and after any changes)
8.5.5 – Remove/disable inactive user accounts (Quarterly)
9.5 – Review security of backup media storage location (Annually)
9.9.1 – Properly maintain inventory logs of all media and conduct media inventories (Annually)
10.6 – Review logs for all system components (Daily)
11.1 – Test for the presence of wireless access points and detect unauthorized wireless access points (Quarterly)
11.2.1 – Perform internal vulnerability scans (Quarterly)
11.2.2 – Perform external vulnerability scans via an Approved Scanning Vendor (Quarterly)
11.2.3 – Perform internal and external scans (After any significant change)
11.3 – Perform external and internal penetration testing (At least once a year and after any significant infrastructure or application upgrade or modification)
11.5 – Deploy file-integrity monitoring tools and perform critical file comparisons (Weekly)
12.1.2 – Perform and document a formal risk assessment (Annually)
12.1.3 – Review security policy and update when the environment changes (Annually)
12.2 – Develop daily operational security procedures (Daily)
12.6.1 – Educate personnel (Upon hire and at least annually)
12.6.2 – Require personnel to acknowledge that they have read and understand the security policy and procedures (Annually)
12.8.4 – Maintain a program to monitor service providers’ PCI DSS compliance status (Annually)
List 2 – Data Retention Periods
9.1.1 – Store video camera and/or controls mechanism log (3 months)
9.4 – Retain visitor logs (3 months)
10.7 – Retain audit trail history (1 year)