Merchants have been required to perform internal vulnerability scans at least quarterly and after “significant changes” that could impact their PCI program since the Payment Card Industry Data Security Standards (PCI DSS) were first introduced. Many merchants haven’t paid attention to these rules, though, and have just focused on the annual PCI assessment from their QSA or internal auditor instead of maintaining an ongoing compliance program.
There are many things you must do on a regular basis to remain PCI compliant throughout the year and improve your overall security program. Review tape backup logs, system component logs and tape exchanges with offsite locations on a daily basis. Push out patch updates at least monthly, or as new critical vulnerabilities are identified. Check for rogue wireless access points, run internal network scans and external vulnerability scans (ASV), review for inactive accounts and remove any cardholder data that has exceeded the retention schedule on a quarterly basis.
Other checks must be done on a semi-annual basis, including updating network diagrams and reviewing rules for firewalls. Your annual checklist should include a complete audit of backup tapes, a thorough risk assessment update and review of all policies and procedures, internal and external pen testing, organization-wide inventory of devices and hardware, and security awareness training for all employees. Other annual checks must include training and testing for Incident Response procedures, changing encryption keys, reviewing the security of your backup site and confirming that vendors are PCI compliant as well.
Security should not be seen as a once a year checkmark, but as an everyday state of being. Security is a process, and the processes should be followed every day, not once a year. By taking this approach, you can not only better meet the intent of the PCI compliance requirements, but better protect your business and your customers.