PCI DSS v3.2.1 Questions and Answers Forum

Topic	Views	Activity
12.3.9 Activation of remote-access technologies for vendors and business partners only when needed by vendors and business partners, with immediate deactivation after use Maintain an Information Security Policy	4	February 26, 2023
12.3.8 Automatic disconnect of sessions for remote-access technologies after a specific period of inactivity Maintain an Information Security Policy	5	February 26, 2023
12.3.7 List of company-approved products Maintain an Information Security Policy	6	February 26, 2023
12.3.6 Acceptable network locations for the technologies Maintain an Information Security Policy	4	February 26, 2023
12.3.5 Acceptable uses of the technology Maintain an Information Security Policy	3	February 26, 2023
12.3.4 A method to accurately and readily determine owner, contact information, and purpose (for example, labeling, coding, and/or inventorying of devices) Maintain an Information Security Policy	4	February 26, 2023
12.3.3 A list of all such devices and personnel with access Maintain an Information Security Policy	3	February 26, 2023
12.3.2 Authentication for use of the technology Maintain an Information Security Policy	4	February 26, 2023
12.3.1 Explicit approval by authorized parties Maintain an Information Security Policy	3	February 26, 2023
12.3 Develop usage policies for critical technologies and define proper use of these technologies Maintain an Information Security Policy	6	February 26, 2023
12.2 Implement a risk-assessment process that: Maintain an Information Security Policy	3	February 26, 2023
12.1.1 Review the security policy at least annually and update the policy when the environment changes Maintain an Information Security Policy	4	February 26, 2023
4.1 Use strong cryptography and security protocols to safeguard sensitive cardholder data during transmission over open, public networks, including the following: Protect Stored Cardholder Data	19	February 9, 2023
12.1 Establish, publish, maintain, and disseminate a security policy Maintain an Information Security Policy	7	February 20, 2023
Requirement 12: Maintain a policy that addresses information security for all personnel Maintain an Information Security Policy	4	February 20, 2023
11.6 Ensure that security policies and operational procedures for security monitoring and testing are documented, in use, and known to all affected parties Regularly Monitor and Test Networks	5	February 20, 2023
11.5.1 Implement a process to respond to any alerts generated by the change- detection solution Regularly Monitor and Test Networks	5	February 20, 2023
11.5 Deploy a change-detection mechanism (for example, file-integrity monitoring tools) to alert personnel to unauthorized modification Regularly Monitor and Test Networks	3	February 20, 2023
11.4 Use intrusion-detection and/or intrusion-prevention techniques to detect and/or prevent intrusions into the network. Monitor all traffic at the perimeter of the cardholder data environment as well as at critical points Regularly Monitor and Test Networks	6	February 20, 2023
11.3.4.1 Additional requirement for service providers only: If segmentation is used, confirm PCI DSS scope by performing penetration testing on segmentation controls at least every six months and after any changes to segmentation controls/methods Regularly Monitor and Test Networks	4	February 20, 2023
11.3.4 If segmentation is used to isolate the CDE from other networks, perform penetration tests at least annually and after any changes to segmentation controls/methods to verify Regularly Monitor and Test Networks	5	February 20, 2023
11.3.3 Exploitable vulnerabilities found during penetration testing are corrected and testing is repeated to verify the corrections Regularly Monitor and Test Networks	9	February 20, 2023
11.3.2 Perform internal penetration testing at least annually and after any significant infrastructure or application upgrade or modification Regularly Monitor and Test Networks	4	February 20, 2023
11.3.1 Perform external penetration testing at least annually and after any significant infrastructure or application upgrade or modification Regularly Monitor and Test Networks	3	February 20, 2023
11.3 Implement a methodology for penetration testing that includes the following: Regularly Monitor and Test Networks	4	February 20, 2023
11.2.3 Perform internal and external scans, and rescans as needed, after any significant change. Scans must be performed by qualified personnel Regularly Monitor and Test Networks	3	February 20, 2023
11.2.2 Perform quarterly external vulnerability scans, via an Approved Scanning Vendor (ASV) approved by the Payment Card Industry Security Standards Council (PCI SSC). Perform rescans as needed, until passing scans are achieved Regularly Monitor and Test Networks	4	February 20, 2023
11.2.1 Perform quarterly internal vulnerability scans. Address vulnerabilities and perform rescans to verify all “high risk” vulnerabilities are resolved in accordance with the entity’s vulnerability ranking (per Requirement 6.1) Regularly Monitor and Test Networks	4	February 20, 2023
11.2 Run internal and external network vulnerability scans at least quarterly and after any significant change in the network (such as new system component installations, changes in network topology, firewall rule modifications, product upgrades) Regularly Monitor and Test Networks	4	February 20, 2023
11.1.2 Implement incident response procedures in the event unauthorized wireless access points are detected Regularly Monitor and Test Networks	5	February 20, 2023