How Often is Periodic
The term “periodic” is not new to PCI DSS. But in Version 4, we see a new approach that wraps more governance around the meaning of periodic in Section 7 of PCI DSS V4.0. Periodic becomes a measure that is unique to every organisation.
Governance plays a big role in this because:
- 12.3.1: Every periodic requirement must have a frequency defined that is supported by a risk assessment.
How many requirements will you have to define the frequency of? It’s probably a lot more than you thought!
- 5.2.3.1: Periodically evaluate systems that are not at risk for malware
- 5.3.2.1: If periodic malware scans are used the frequency needs to be defined
- 7.2.5.1: Evaluate access by application and system accounts periodically
- 8.6.3: Change passwords / passphrases for system accounts periodically
- 9.5.1.2.1: Perform periodic inspections of POI devices
- 10.4.2.1: Perform periodic log reviews of systems that do not require daily log review
- 11.3.1.1: Address all other vulnerabilities (beyond high / critical) from vulnerability scans periodically
- 11.6.1: Perform change and tamper protection on modification to the HTTP headers and contents of payment pages at least every 7 days or periodically
- 12.10.4: Train personnel responsible for responding to security incidents periodically
Each of these requirements will need to have it’s own targeted risk assessment which means that there will be a lot more oversight and governance required even when it comes to defining how often you perform certain requirements!
Need Help With Targeted Risk Assessments?
We can help you understand the risks and what we see as best practices when it comes to determining the frequency of periodic tasks. Talk to us to see how we can help you.