Home > Information Technology > Mandatory maintenance checks that must be performed for PCI DSS 4.01 Requirements.

Mandatory maintenance checks that must be performed for PCI DSS 4.01 Requirements.

1. Security Policy and Procedures

Ensure security policies are up-to-date and reflect current practices.

Review existing policies regularly.
Compare with industry standards.
Update policies to address new threats.
Incorporate feedback from stakeholders.

Review and document changes to security policies annually.

Schedule annual policy review meetings.
Document changes in a version history.
Communicate changes to all employees.
Ensure documentation is accessible.

Train employees on security policies and procedures at least annually.

Schedule annual training sessions.
Use various formats (e.g., workshops, e-learning).
Track attendance and completion.
Update training materials as policies change.

Establish a clear process for the creation, review, and approval of security policies

Define roles for policy creation.
Set timelines for each review stage.
Document approval processes.
Ensure transparency in policy changes.

Ensure that security policies are communicated effectively to all employees and relevant stakeholders

Use multiple communication channels.
Provide summaries for quick reference.
Encourage questions and discussions.
Monitor understanding through surveys.

Designate a responsible party or team for the ongoing management and oversight of security policies

Identify key personnel for policy oversight.
Assign roles and responsibilities clearly.
Establish regular check-ins for policy management.
Ensure accountability within the team.

Include a mechanism for employees to provide feedback on security policies and suggest improvements

Create a feedback form or portal.
Encourage open discussions on policies.
Review feedback regularly.
Incorporate actionable suggestions.

Ensure that security policies are accessible to all employees, including remote workers and third-party vendors

Host policies on a secure intranet.
Provide access to remote employees.
Ensure third-party vendors receive necessary policies.
Regularly check access permissions.

Regularly assess the effectiveness of security policies through audits or assessments

Schedule periodic audits of policies.
Use both internal and external auditors.
Document findings and recommendations.
Implement changes based on audit results.

Incorporate any relevant legal, regulatory, or compliance requirements into security policies

Identify applicable laws and regulations.
Regularly update policies to reflect changes.
Consult legal experts during updates.
Train employees on compliance requirements.

Develop a process for handling and addressing non-compliance with security policies

Define consequences for non-compliance.
Create a reporting mechanism.
Document incidents and responses.
Review processes regularly for effectiveness.

Ensure that security policies cover incident response procedures and escalation paths

Define clear incident response roles.
Outline escalation procedures in detail.
Conduct drills to test response effectiveness.
Update procedures based on drill outcomes.

Review and update security policies in response to changes in the threat landscape or organizational structure

Monitor threat intelligence sources.
Assess organizational changes regularly.
Update policies to mitigate new risks.
Communicate updates promptly to all.

Include a process for documenting exceptions to security policies and procedures

Define criteria for exceptions.
Create a standardized exception request form.
Review and approve exceptions systematically.
Document all approved exceptions clearly.

Conduct periodic reviews to ensure that security policies align with business objectives and risk management strategies

Schedule regular alignment meetings.
Involve stakeholders from different departments.
Assess business objectives against current policies.
Update policies to support strategic goals.

2. Network Security

Verify firewall configuration and rules are documented and reviewed at least every six months.

Gather current firewall configurations and rules.
Review documentation against existing network needs.
Consult with stakeholders for necessary updates.
Document any changes made during the review.
Set reminders for the next review cycle.

Ensure that all default passwords and security parameters are changed for hardware and software.

Identify all hardware and software components.
Access each device and application settings.
Change default passwords to strong, unique passwords.
Document all changes made.
Schedule regular audits to ensure compliance.

Conduct regular vulnerability scans and penetration testing at least quarterly.

Select appropriate tools for vulnerability scanning.
Schedule scans and testing sessions quarterly.
Analyze results and prioritize identified vulnerabilities.
Develop remediation plans for critical findings.
Document findings and actions taken.

Ensure that all network devices are properly configured to use strong encryption protocols for data in transit

Review current encryption protocols in use.
Update configurations to use strong standards (e.g., TLS 1.2+).
Test configurations to ensure effectiveness.
Document encryption settings for all devices.
Monitor for updates in encryption standards.

Implement and maintain an up-to-date inventory of all network components, including routers, switches, and firewalls

Create a comprehensive list of all network devices.
Assign unique identifiers to each component.
Regularly update the inventory with new additions or removals.
Include details like IP addresses and configurations.
Review inventory for accuracy at least annually.

Segregate the cardholder data environment (CDE) from other networks to minimize exposure to threats

Define the boundaries of the CDE.
Implement firewalls or VLANs to separate the CDE.
Restrict access to the CDE based on roles.
Regularly assess segregation measures for effectiveness.
Document all segregation methods and policies.

Regularly review and update network diagrams to reflect current configurations and connections

Create initial network diagrams based on current architecture.
Update diagrams whenever changes occur in the network.
Ensure clarity and detail in diagrams for all components.
Store diagrams in a central, accessible location.
Review diagrams for accuracy at least annually.

Ensure that all unnecessary network services are disabled on devices to reduce attack surfaces

Identify all running services on network devices.
Document services that are not required.
Disable unnecessary services to minimize vulnerabilities.
Regularly audit devices for enabled services.
Implement a change management process for service updates.

Require strong authentication methods for remote access to the network, including two-factor authentication where applicable

Assess current remote access methods in use.
Implement strong authentication protocols (e.g., MFA).
Educate users on secure remote access practices.
Regularly review access logs for compliance.
Document all authentication policies and methods.

Monitor and analyze network traffic for unusual or unauthorized activities on an ongoing basis

Deploy network monitoring tools to capture traffic data.
Establish baselines for normal traffic patterns.
Set alerts for unusual activities or anomalies.
Review logs regularly for unauthorized access attempts.
Document findings and actions taken during analysis.

Implement and maintain a process for applying security patches and updates to all network devices within a defined timeframe

Identify all hardware and software requiring updates.
Establish a schedule for regular patch management.
Test patches in a controlled environment before deployment.
Document applied patches and their impact.
Review patch management effectiveness regularly.

Ensure that proper logging is enabled on all network devices to capture security-related events and incidents

Review logging capabilities of each network device.
Enable logging for all critical security events.
Regularly review logs for suspicious activity.
Store logs securely and ensure retention policies are met.
Document logging configurations and policies.

Conduct regular training for network administrators on secure configuration practices and emerging threats

Develop training materials on secure practices and threats.
Schedule regular training sessions (e.g., semi-annually).
Incorporate real-world examples and case studies.
Collect feedback to improve future training.
Document attendance and topics covered.

These steps can help ensure a robust network security posture in compliance with PCI DSS requirements

3. Access Control

Review user access rights and ensure that access is limited to only those who need it.

Identify all users with access to the system.
Evaluate user roles and their necessity for access.
Adjust access rights based on role requirements.
Document access changes for accountability.

Implement and review multi-factor authentication for all access to the cardholder data environment (CDE).

Select appropriate multi-factor authentication methods.
Enforce MFA across all access points to CDE.
Regularly test and update authentication mechanisms.
Educate users on MFA usage and importance.

Ensure that all user accounts are disabled or removed when no longer needed.

Establish a timeline for account review post-employment.
Disable accounts promptly after termination or role change.
Verify the removal of access for inactive users.
Maintain logs of account status changes.

Conduct regular audits of user access logs to identify any unauthorized access attempts

Schedule audits on a regular basis.
Use automated tools for log analysis.
Investigate any anomalies or unauthorized attempts.
Report findings and take corrective actions.

Implement role-based access controls (RBAC) to ensure users are granted the minimum level of access necessary for their job functions

Define roles and associated permissions clearly.
Assign users to roles based on job functions.
Regularly review role assignments for accuracy.
Document the RBAC structure and changes.

Review and update access control policies and procedures at least annually or whenever significant changes occur in the organization

Set a schedule for policy reviews.
Gather input from stakeholders during reviews.
Update documentation to reflect current practices.
Communicate changes to all relevant personnel.

Ensure that all remote access to the cardholder data environment (CDE) is secured and monitored

Implement VPN or secure tunneling for remote access.
Require MFA for all remote connections.
Monitor remote access logs for suspicious activity.
Regularly review remote access policies.

Require strong password policies that include complexity requirements, change frequency, and history of password reuse

Define complexity requirements (e.g., length, characters).
Set guidelines for password expiration and reuse.
Enforce policies through technical controls.
Educate users on creating and managing secure passwords.

Maintain a record of all user account creations, modifications, and deletions for auditing purposes

Implement a logging mechanism for account changes.
Ensure logs are stored securely and reviewed regularly.
Establish a retention period for audit logs.
Document procedures for handling account change requests.

Provide training to all personnel on secure access practices and the importance of safeguarding user credentials

Schedule regular training sessions for all employees.
Cover topics such as phishing, password management, and MFA.
Assess training effectiveness through quizzes or surveys.
Keep training materials up to date.

Ensure that default accounts (e.g., vendor-provided accounts) are disabled or modified to meet security policies

Identify all default accounts in use.
Disable or rename default accounts immediately.
Review permissions assigned to modified accounts.
Document changes for compliance purposes.

Monitor and log all access to the CDE, and review logs regularly for suspicious activity

Implement logging for all access events.
Set up alerts for unusual access patterns.
Regularly review logs and investigate anomalies.
Document findings and actions taken.

Implement a process for periodically reviewing and validating third-party access to the cardholder data environment

Create a schedule for third-party access reviews.
Evaluate the necessity of each third-party access.
Document findings and any changes made.
Communicate results to relevant stakeholders.

4. Data Protection

Verify that cardholder data is encrypted during transmission and at rest.

Use strong encryption methods such as AES-256.
Utilize secure protocols like TLS for data in transit.
Regularly audit encryption mechanisms.
Ensure encryption keys are not hard-coded in applications.
Test decryption processes for reliability.

Ensure that encryption keys are managed securely and are changed at least annually.

Implement a key management policy.
Use hardware security modules (HSM) for key storage.
Conduct annual key rotation and document the process.
Limit access to key management systems.
Log all key management activities.

Conduct regular reviews of the data retention and disposal policies to ensure compliance.

Schedule reviews at least annually.
Document retention periods for all data types.
Ensure secure disposal methods are defined.
Audit compliance with the disposal policy.
Update policies based on regulatory changes.

Ensure that all cardholder data is stored in a secure environment with access controls in place

Implement tokenization or masking techniques to protect cardholder data when displayed or stored

Conduct regular vulnerability assessments on systems that store, process, or transmit cardholder data to identify and remediate security weaknesses

Verify that access to cardholder data is restricted to only those individuals who need it for their job responsibilities

Ensure that strong cryptographic algorithms and protocols are used for encrypting cardholder data

Maintain a record of all access to cardholder data, including who accessed it and when

Implement measures to ensure that sensitive data is not stored on devices that are not adequately secured

Regularly train personnel on data protection policies and practices related to cardholder data

Review and update data classification policies to ensure all data is appropriately categorized and protected

Verify that all third-party service providers handling cardholder data comply with PCI DSS requirements

Establish an incident response plan specifically addressing breaches involving cardholder data

5. Logging and Monitoring

Ensure that logging is enabled on all systems that handle cardholder data.

Identify all systems processing cardholder data.
Enable logging features on these systems.
Verify logging configurations to ensure they capture relevant events.
Test logging functionality to confirm data is recorded.

Review logs for suspicious activity at least daily.

Schedule daily log review tasks.
Use automated tools to assist in log analysis.
Look for anomalies such as repeated failed logins.
Document findings and escalate suspicious activity.

Maintain logs for a minimum of one year, with at least three months readily available for review.

Establish a log retention schedule.
Ensure logs are archived securely after three months.
Verify accessibility of recent logs for quick review.
Regularly check storage capacity for log files.

Implement automated logging tools to aggregate logs from various sources for centralized monitoring

Select appropriate logging aggregation tools.
Configure tools to collect logs from all relevant systems.
Test the aggregation process for accuracy.
Ensure centralized logs are protected and accessible.

Establish a process for identifying and responding to anomalies detected in logs

Define criteria for what constitutes an anomaly.
Create a response plan for identified anomalies.
Train staff on incident response procedures.
Document and review responses to improve processes.

Ensure that logs include details such as user identification, type of event, date and time, and success or failure of the event

Review logging configurations to ensure required fields are included.
Test logs to verify they capture all necessary details.
Regularly audit logs for completeness.
Update logging practices as needed.

Regularly review and update logging configurations to ensure they comply with current security policies and PCI DSS requirements

Schedule periodic reviews of logging configurations.
Compare current configurations against PCI DSS requirements.
Document any changes made to configurations.
Communicate updates to relevant stakeholders.

Conduct periodic audits of log data to ensure completeness and accuracy

Establish an audit schedule for log data.
Randomly sample logs to verify the integrity of data.
Document findings and any discrepancies noted.
Address and rectify identified issues promptly.

Define roles and responsibilities for log management and monitoring within the organization

Identify key personnel responsible for log management.
Document roles and responsibilities clearly.
Ensure all team members are aware of their duties.
Review and update roles as organizational needs change.

Protect log files from unauthorized access and ensure that logs are stored in a secure location

Implement access controls for log storage.
Use encryption for stored log files.
Monitor access logs for unauthorized attempts.
Regularly review and update security measures.

Establish a retention policy for logs that aligns with business needs and compliance requirements

Consult compliance requirements for log retention.
Define business needs that impact log retention.
Document and communicate the retention policy.
Regularly review the policy for relevance.

Train staff on the importance of logging and monitoring, as well as how to recognize and respond to potential security incidents

Develop training materials focused on logging importance.
Schedule regular training sessions for staff.
Include practical exercises for incident recognition.
Evaluate training effectiveness and make improvements.

Test and validate the logging and monitoring systems regularly to ensure they function as intended and effectively capture relevant data

Create a testing schedule for logging systems.
Simulate various events to test capture accuracy.
Document results of tests and any issues found.
Implement fixes for any identified deficiencies.

Set up alerts for critical incidents that require immediate attention, ensuring they are communicated to the appropriate personnel

Define criteria for critical incidents.
Configure alert settings in logging tools.
Test alert functionality to ensure timely notifications.
Establish a communication protocol for alerts.

Document the procedures for logging and monitoring, including how logs are reviewed, analyzed, and stored

Create a comprehensive documentation template.
Detail each step of the logging process.
Ensure documentation is accessible to relevant personnel.
Review and update documentation regularly.

6. Incident Response

Maintain an up-to-date incident response plan and review it at least annually.

Assign a team responsible for the plan.
Update the plan with new threats and technologies.
Schedule annual reviews and document updates.
Distribute the updated plan to relevant personnel.

Conduct incident response training and simulations at least annually.

Develop training materials that reflect current threats.
Schedule training sessions and simulations annually.
Evaluate participant performance and gather feedback.
Update training content based on lessons learned.

Ensure that incidents are tracked and documented for future reference and compliance purposes.

Create a standardized incident report template.
Assign responsibility for documentation to team members.
Ensure all incidents are logged promptly.
Maintain a secure repository for documented incidents.

Establish a clear communication plan for notifying stakeholders and affected parties during and after an incident

Identify key stakeholders and affected parties.
Develop templates for communication during incidents.
Set up a notification system for stakeholders.
Review and update the communication plan regularly.

Define roles and responsibilities for the incident response team members and ensure they are clearly documented

Create a detailed role description for each team member.
Document responsibilities and authority levels.
Distribute the role definitions to all team members.
Review roles and responsibilities periodically.

Implement a triage process to assess the severity and impact of incidents promptly

Develop criteria for assessing incident severity.
Train team members on triage procedures.
Establish a response priority system based on severity.
Document triage decisions for future reference.

Conduct post-incident reviews to analyze the response effectiveness and identify areas for improvement

Schedule reviews soon after incident resolution.
Gather input from all involved team members.
Document findings and lessons learned.
Create action items for future improvements.

Maintain an inventory of critical assets and their locations to aid in incident response efforts

Develop a comprehensive asset inventory list.
Regularly update the inventory to reflect changes.
Categorize assets by criticality and location.
Ensure easy access to the inventory for response teams.

Ensure that all incident response tools and technologies are up-to-date and properly configured

Review tool configurations regularly.
Schedule updates for software and hardware.
Test tools to ensure they function correctly.
Document all updates and configurations.

Develop a process for reporting incidents to external parties, including law enforcement, if necessary

Identify external reporting requirements and agencies.
Create a reporting protocol for team members.
Train staff on when and how to report externally.
Document all external communications related to incidents.

Integrate threat intelligence and analysis into the incident response process to enhance detection and response capabilities

Subscribe to relevant threat intelligence feeds.
Regularly analyze threat data for actionable insights.
Incorporate findings into the incident response plan.
Train staff on how to utilize threat intelligence.

Regularly update the incident response plan based on lessons learned from previous incidents and changes in the threat landscape

Schedule regular reviews of the incident response plan.
Incorporate feedback from post-incident reviews.
Adjust strategies based on evolving threat landscapes.
Communicate updates to all relevant personnel.

Ensure that all employees understand how to report suspicious activities or potential security incidents

Develop a clear reporting procedure for employees.
Conduct training sessions on reporting protocols.
Provide easy access to reporting channels.
Regularly remind staff of the importance of reporting.

Conduct tabletop exercises to evaluate the incident response plan in realistic scenarios involving multiple departments

Design realistic scenarios involving various departments.
Schedule periodic tabletop exercises.
Document outcomes and areas for improvement.
Incorporate feedback into the incident response plan.

Establish metrics and key performance indicators (KPIs) to measure the effectiveness of the incident response activities

Define KPIs relevant to incident response.
Regularly collect data on incident response performance.
Analyze results to identify trends and areas for improvement.
Report metrics to management for review.

7. Third-Party Management

Review and document third-party service provider agreements and ensure they comply with PCI DSS requirements.

Collect all service provider agreements.
Verify compliance with PCI DSS requirements.
Document any gaps or issues.
Communicate necessary changes to providers.
Retain documentation for audit purposes.

Conduct risk assessments on third-party providers at least annually.

Identify all third-party providers.
Develop a risk assessment framework.
Evaluate potential risks associated with each provider.
Document findings and remediation actions.
Review assessments annually and update as necessary.

Ensure that third-party providers have their own data security policies and procedures in place.

Request copies of security policies from providers.
Review policies for adequacy and compliance.
Verify policies are implemented and followed.
Document the review process and findings.
Reassess policies annually or as needed.

Establish a process for ongoing due diligence to evaluate the security posture of third-party providers

Create a due diligence checklist.
Schedule regular reviews of provider security practices.
Document findings and follow up on issues.
Use industry benchmarks for evaluation.
Adjust due diligence processes as necessary.

Require third-party providers to undergo regular security assessments, audits, or penetration testing, and review the results

Specify assessment requirements in contracts.
Track assessment schedules for each provider.
Review assessment reports thoroughly.
Document findings and address vulnerabilities.
Ensure timely follow-up on recommended actions.

Ensure that third-party contracts include clauses for incident reporting and response procedures in case of a data breach

Review existing contracts for incident response clauses.
Amend contracts to include necessary clauses.
Ensure clarity on reporting timelines and responsibilities.
Document all contract revisions.
Communicate requirements to all providers.

Maintain an inventory of all third-party service providers that handle cardholder data or have access to it

Create a centralized inventory list.
Include contact information and service details.
Update inventory regularly, particularly after changes.
Ensure access to the inventory is restricted.
Review the inventory for completeness annually.

Monitor third-party vendors for any changes in their security practices or regulatory compliance status

Set up alerts for vendor updates.
Regularly review vendor communications and reports.
Document any changes in security practices.
Assess impact on compliance and risk.
Adjust monitoring processes as needed.

Develop and implement a termination procedure to ensure the secure removal of access to cardholder data when a third-party relationship ends

Define a clear termination process.
Document steps for data access removal.
Ensure secure data destruction methods are specified.
Communicate termination procedures to all stakeholders.
Review and update termination procedures regularly.

Require third-party providers to demonstrate compliance with relevant security standards and regulations (beyond PCI DSS, as applicable)

Identify applicable security standards for each provider.
Request compliance documentation from providers.
Review and assess compliance against standards.
Document compliance status and any gaps.
Follow up on remediation for any identified issues.

Ensure that third-party providers have appropriate access controls in place to restrict access to sensitive data

Request access control policies from providers.
Evaluate the effectiveness of access controls.
Verify role-based access is implemented.
Document access control assessments.
Require updates as necessary based on findings.

Review and update third-party management processes and policies regularly to adapt to changing threats and compliance requirements

Schedule regular review meetings.
Assess current policies against new threats.
Incorporate feedback from audits and assessments.
Document any changes made to policies.
Communicate updates to all relevant parties.

8. Security Awareness

Implement a security awareness program for all employees, with training provided at least annually.

Design a comprehensive program covering security policies.
Schedule training sessions at least once a year.
Use engaging formats like workshops and e-learning.
Track participation and completion rates.

Ensure that employees are aware of the importance of protecting cardholder data and recognize potential threats.

Highlight the significance of cardholder data protection.
Provide examples of potential threats and their impacts.
Utilize real-world case studies to emphasize risks.
Distribute materials that outline best practices.

Conduct regular phishing and social engineering tests to evaluate employee awareness.

Design phishing simulation emails and scenarios.
Schedule tests quarterly to maintain vigilance.
Provide immediate feedback to participants.
Analyze results to identify areas for improvement.

Develop and distribute security awareness materials, such as newsletters, posters, or email alerts, to reinforce training concepts

Create visually appealing and informative content.
Distribute materials through various channels regularly.
Update content based on current threats.
Encourage sharing of materials among employees.

Conduct onboarding security training for new employees as part of the hiring process

Include security training in the onboarding schedule.
Provide an overview of company security policies.
Introduce key contacts for security-related queries.
Assess understanding through quizzes or discussions.

Establish a process for employees to report security incidents or suspicious activities, and ensure they understand how to use it

Define clear reporting channels and procedures.
Communicate reporting process during training.
Encourage prompt reporting without fear of repercussions.
Follow up on reports to ensure accountability.

Offer specialized training for employees in roles with heightened access to sensitive data or systems

Identify roles requiring additional security training.
Provide tailored training focusing on specific risks.
Incorporate role-specific scenarios and case studies.
Evaluate training effectiveness through assessments.

Schedule periodic refresher training sessions or workshops to reinforce key security concepts throughout the year

Plan sessions based on evolving security trends.
Incorporate interactive elements like discussions or Q&A.
Encourage participation through incentives.
Track attendance and feedback for future improvements.

Implement an evaluation mechanism to assess the effectiveness of the security awareness program, such as surveys or feedback sessions

Create surveys to gauge employee knowledge and engagement.
Conduct feedback sessions after training sessions.
Analyze feedback to identify strengths and weaknesses.
Adjust program content based on evaluation results.

Encourage a culture of security by recognizing and rewarding employees who demonstrate good security practices

Establish a recognition program for security champions.
Publicly acknowledge employees' contributions to security.
Offer incentives such as gift cards or bonuses.
Share success stories to motivate others.

Ensure that security policies and procedures are easily accessible to all employees and that they are regularly updated

Host policies on an intranet or shared drive.
Regularly review and update policies as needed.
Notify employees of changes to policies promptly.
Encourage employees to familiarize themselves with the policies.

Provide resources for employees to stay informed about the latest security trends and threats, such as webinars or recommended reading materials

Curate a list of reputable security resources.
Organize webinars with industry experts.
Share articles and reports regularly via email.
Encourage participation in external security events.

Monitor and analyze security incidents related to human error, and adjust training content to address identified gaps in knowledge or awareness

Track incidents and categorize them by type.
Identify common patterns and areas lacking awareness.
Revise training content to address these gaps.
Share lessons learned with employees to prevent recurrence.

These steps can help foster a security-conscious workforce and enhance the overall effectiveness of the organization's security posture

Download CSV Download JSON Download Markdown

Use in Manifestly

AI Checklist Generator

Mandatory maintenance checks that must be performed for PCI DSS 4.01 Requirements.

1. Security Policy and Procedures

2. Network Security

3. Access Control

4. Data Protection

5. Logging and Monitoring

6. Incident Response

7. Third-Party Management

8. Security Awareness

Related Checklists

Security Checklist

Server Maintenance Checklist

Desktop Configuration Checklist

Incident Response Checklist

Data Backup Checklist

Software Update Checklist

Server Configuration Checklist

Performance Monitoring Checklist

Network Maintenance Checklist

Patch Management Checklist

Disaster Recovery Checklist

Software Installation Checklist

User Access Control Checklist