The term “periodic” is not new to PCI DSS. But in Version 4, we see a new approach that wraps more governance around the meaning of periodic in Section 7 of PCI DSS V4.0. Periodic becomes a measure that is unique to every organisation.
Governance plays a big role in this because:
12.3.1: Every periodic requirement must have a frequency defined that is supported by a risk assessment.
How many requirements will you have to define the frequency of? It’s probably a lot more than you thought!
126.96.36.199: Periodically evaluate systems that are not at risk for malware
188.8.131.52: If periodic malware scans are used the frequency needs to be defined
184.108.40.206: Evaluate access by application and system accounts periodically
8.6.3: Change passwords / passphrases for system accounts periodically
220.127.116.11.1: Perform periodic inspections of POI devices
10.4.2.1: Perform periodic log reviews of systems that do not require daily log review
18.104.22.168: Address all other vulnerabilities (beyond high / critical) from vulnerability scans periodically
11.6.1: Perform change and tamper protection on modification to the HTTP headers and contents of payment pages at least every 7 days or periodically
12.10.4: Train personnel responsible for responding to security incidents periodically
Each of these requirements will need to have it’s own targeted risk assessment which means that there will be a lot more oversight and governance required even when it comes to defining how often you perform certain requirements!