UPDATED: Changed comments on requirement 10.6.2 to reflect the correct interpretation of that requirement.
No words or phrases in the PCI standards elicit more comments and questions than “significant change”, “periodic” and “periodically”.
So what do these mean? Whatever you want to define them to mean as it is up to each organization to come up with formal definitions. Those definitions should be based on your organization’s risk assessment.
Here are some suggestions as to appropriate definitions.
Significant changes are those changes that could impact or affect the security of your cardholder data environment (CDE). Examples of significant changes are:
- Changing devices such as firewalls, routers, switches and servers. Going from Cisco to Checkpoint firewalls for example is typically understood as a significant change. However, people always question this concept particularly when going from a Cisco ASA 5505 firewall to an ASA 5520 or moving a virtual machine from one cluster to another. The problem is that these moves can potentially introduce new vulnerabilities, network paths or even errors that would go unknown until the next vulnerability scan and penetration test. And your luck would be that those tests are months away, not just a few days.
- Changes to payment applications. This should be obvious, but I cannot tell you how many people argue the point on changes to applications. Yet, application changes are possibly the biggest changes that can affect security. Not only should applications be vulnerability scanned and penetration tested before being put into production, but code review and/or automated code scanning should be performed as well. If any vulnerabilities are found, they must be corrected or mitigated before the application goes into production.
- Upgrades or changes in operating systems. Upgrades and changes in operating systems should also be obvious as significant changes. However, I have run into network and system administrators that want to split hairs over the impact of OS changes. In my opinion, going from one version of an OS to another is just as significant as changing OSes.
- Patching of operating systems or applications. While I do not think that patching necessarily results in a significant change, there are some patches such as updates to critical services such as .NET or the IP stack that should be considered significant. If you are properly working through requirement 6.1 (6.2 in PCI DSS v2) for patch management, you should take this into consideration and indicate if vulnerability scanning and penetration testing are required after any particular patch cycle because of the nature of any of the patches being applied.
- Network changes. Any time you change the network you should consider that a significant change regardless of how “minor” the change might appear. Networks can be like puzzles and the movement of devices or wires can result in unintended paths being opened as a result.
I have a lot of clients that have an indicator in their change management system or enter “Significant Change” in the change comments for flagging significant changes. That way they can try and coordinate significant changes with their scheduled vulnerability scanning and penetration testing. It does not always work out, but they are trying to make an attempt at minimizing the number of special scans and tests that are performed. But such an approach also has a side benefit when it comes time to do their PCI assessment as they can call up all significant changes and those can be tied to the vulnerability scans and penetration tests.
I would see this list as the bare minimum of significant changes. As I stated earlier, it is up to your organization to develop your own definition of what constitutes a significant change.
Periodic and Periodically
Branden Williams was on a Podcast shortly after the PCI DSS v3 was released and made a comment that he felt that the number of occurrences for the words “periodic” or “periodically” were higher in the new version of the PCI DSS than in the previous version. That got me thinking so I went and checked it out. Based on my analysis, these words occur a total of 20 times in the PCI DSS v3 with 17 of those occurrences in the requirements/tests. That is a 150% total increase over v2 and an increase of 113% in the requirements/tests.
First off, just to shatter some people’s perception of the word, “periodic” does not equate to “annual”. Yes, there may be instances where an activity can occur annually and still meet PCI DSS compliance. But that is likely a rare occurrence for all but the smallest organizations and is definitely not how the Council has defined it.
The Council uses the words “periodic” and “periodically” to reflect that an organization should be following the results of their risk assessment to determine how often or “periodically” they should perform a certain activity. For some organizations, that might happen to work out to be annually. But for most organizations it will work out to be something more often than annually.
So what requirements specific a periodic time period? Here are some of the more notable occurrences.
- 5.1.2 For systems considered to be not commonly affected by malicious software, perform periodic evaluations to identify and evaluate evolving malware threats in order to confirm whether such systems continue to not require anti-virus software.Typically this would be done annually, but forensic analysis of breaches has indicated that it needs to be done more often, particularly with Linux and other Unix derivatives. Based on threats semi-annual or even quarterly reviews may be needed for systems you believe to not warrant an anti-virus solution.
- 5.2 Ensure that all anti-virus mechanisms are maintained as follows: Are kept current, Perform periodic scans, Generate audit logs which are retained per PCI DSS Requirement 10.7.Periodic scanning is always an issue with servers but, surprisingly, even more so with workstations. In my opinion, at a minimum, scans for viruses and malware should be done at least weekly. This might need to be done daily if the systems are particularly at risk such as in call centers where the workstations my go to the Internet to be able to access competitor sales offerings.
- 8.2.4.b Additional testing procedure for service providers: Review internal processes and customer/user documentation to verify that: Non-consumer user passwords are required to change periodically; and Non-consumer users are given guidance as to when, and under what circumstances, passwords must change.This requirement pairs with 8.6.2 which requires service providers with remote access to customers’ systems to not use the same credentials for each customer. A number of recent breaches have pointed out the issue such a practice can lead. Not only are different credentials needed by the password for those credentials needs to change periodically, typically every 90 days. This will likely spur the sales of enterprise credential vaults and similar solutions in the service provider ranks.But it is not just service provider’s credentials; it is also their customers’ credentials. Service providers need to advise their customers to change their passwords periodically as well. And that should also be at 90 day intervals at a minimum.
- 9.7 Obtain and examine the policy for controlling storage and maintenance of all media and verify that the policy requires periodic media inventories.For this requirement, the PCI DSS already provides a required timeframe of at least annually.
- 9.8 Examine the periodic media destruction policy and verify that it covers all media and defines requirements for the following:Periodic here typically means quarterly or even monthly if you have the volume of media to be destroyed. The key though is to secure the media until it is destroyed.
- 9.9 Examine documented policies and procedures to verify they include: Maintaining a list of devices, Periodically inspecting devices to look for tampering or substitution, Training personnel to be aware of suspicious behavior and to report tampering or substitution of devices.Here periodic means at least daily, if not more often. I have clients that examine their points of interaction (POI) at every management shift change which works out to three or four times a day. Given the POI is becoming the primary target of attacks, this will only become more important as time goes on given the current paradigm.
- 9.9.2 Periodically inspect device surfaces to detect tampering (for example, addition of card skimmers to devices), or substitution (for example, by checking the serial number or other device characteristics to verify it has not been swapped with a fraudulent device).Again, periodic means at least daily, if not more often. I have clients that examine their points of interaction (POI) at every management shift change which works out to three or four times a day. Given the POI is becoming the primary target of attacks, this will only become more important as time goes on given the current paradigm.
- 10.6.2 Review logs of all other system components periodically based on the organization’s policies and risk management strategy, as determined by the organization’s annual risk assessment.This requirement allows systems to be ranked using an organization’s risk assessment to drive how often log data from systems have to be reviewed. While systems that directly process, store or transmitcardholder data (CHD) must have their log data reviewed at least daily, other systems that are in-scope can have their log data reviewed less often based on the risk they present to the CDE systems. Based on assessing the risk to these “connected to” systems, you might be able to justify weekly or even monthly review of log data. I doubt this will have a significant impact because most organizations have implemented internal or outsourced system information and event management (SIEM) solutions and are monitoring all in-scope systems in near real time. But for those few organizations that are struggling with log reviews without a SIEM, this will afford them a bit of breathing space.
- 12.10.4 Verify through observation, review of policies, and interviews of responsible personnel that staff with responsibilities for security breach response are periodically trained.It amazes me the number of organizations that claim to not have had an incident in the last year, even a virus or malware outbreak. Either they were totally dealt with by their anti-virus solution (hard to believe) or I am not talking to thepeople that deal with these issues (probably more likely). As a result, testing (which can satisfy this training requirement) is only being done annually just like business continuity plan testing.Given the ever increasing amount of threats, this sort of training needs to be done more often than just annually. Organizations should be at least testing their incident response plan on a quarterly basis so that people keep their skills up as well we just exercising the plan and finding any gaps or processes that need adjustment.
Hopefully we are now all on the same page with these terms.