There’s a critical date approaching in the PCI DSS calendar. Some of you may be wondering “what date could possibly be that important?”
In an earlier blog, published last year on the PCI DSS v3.2 countdown, we explained that a number of PCI DSS v3.2 requirements became mandatory on 1st February 2018, but the one which this blog article draws your attention to is for service providers to:
“Perform reviews at least quarterly to confirm personnel are following security policies and operational procedures”
Reviews must cover the following processes:
- Daily log reviews
- Firewall rule-set reviews
- Applying configuration standards to new systems
- Responding to security alerts
- Change management” (Requirement 12.11) and to prove you did it.
Maintain documentation of quarterly review process to include:
- Documenting results of the reviews
- Review and sign-off of results by personnel assigned responsibility for the PCI DSS compliance program” (requirement 12.11.1).
Given that this must be done quarterly, and that it’s been mandatory since the 1st February 2018, if you haven’t completed an iteration of this before 1st May 2018, then you will go out of compliance. This may have caught you out but there’s time to spare!
Remember, it’s no different than performing any frequency based item like ASV scans or card data discovery - if you cannot show the QSA you’re doing it quarterly, then you’re not meeting the intent of the requirement and would be marked Not In Place.
Use diary reminders, ticket schedules, or any other reliable mechanism, but get that first one completed and subsequent ones scheduled thereafter. Remember, it’s a business as usual activity and not a project activity; make a role within your organisation responsible and get this done.
If you need some guidance on how to meet the intent of this requirement, contact Nettitude today, our team are on hand to help ensure you remain compliant.