PCI DSS v3.2.1 Questions and Answers Forum

Topic	Views	Activity
12.3.9 Activation of remote-access technologies for vendors and business partners only when needed by vendors and business partners, with immediate deactivation after use Maintain an Information Security Policy	118	February 26, 2023
12.3.8 Automatic disconnect of sessions for remote-access technologies after a specific period of inactivity Maintain an Information Security Policy	163	February 26, 2023
12.3.7 List of company-approved products Maintain an Information Security Policy	156	February 26, 2023
12.3.6 Acceptable network locations for the technologies Maintain an Information Security Policy	110	February 26, 2023
12.3.5 Acceptable uses of the technology Maintain an Information Security Policy	78	February 26, 2023
12.3.4 A method to accurately and readily determine owner, contact information, and purpose (for example, labeling, coding, and/or inventorying of devices) Maintain an Information Security Policy	71	February 26, 2023
12.3.3 A list of all such devices and personnel with access Maintain an Information Security Policy	78	February 26, 2023
12.3.2 Authentication for use of the technology Maintain an Information Security Policy	65	February 26, 2023
12.3.1 Explicit approval by authorized parties Maintain an Information Security Policy	61	February 26, 2023
12.3 Develop usage policies for critical technologies and define proper use of these technologies Maintain an Information Security Policy	116	February 26, 2023
12.2 Implement a risk-assessment process that: Maintain an Information Security Policy	102	February 26, 2023
12.1.1 Review the security policy at least annually and update the policy when the environment changes Maintain an Information Security Policy	72	February 26, 2023
4.1 Use strong cryptography and security protocols to safeguard sensitive cardholder data during transmission over open, public networks, including the following: Protect Stored Cardholder Data	162	February 9, 2023
12.1 Establish, publish, maintain, and disseminate a security policy Maintain an Information Security Policy	78	February 20, 2023
Requirement 12: Maintain a policy that addresses information security for all personnel Maintain an Information Security Policy	170	February 20, 2023
11.6 Ensure that security policies and operational procedures for security monitoring and testing are documented, in use, and known to all affected parties Regularly Monitor and Test Networks	70	February 20, 2023
11.5.1 Implement a process to respond to any alerts generated by the change- detection solution Regularly Monitor and Test Networks	97	February 20, 2023
11.5 Deploy a change-detection mechanism (for example, file-integrity monitoring tools) to alert personnel to unauthorized modification Regularly Monitor and Test Networks	155	February 20, 2023
11.4 Use intrusion-detection and/or intrusion-prevention techniques to detect and/or prevent intrusions into the network. Monitor all traffic at the perimeter of the cardholder data environment as well as at critical points Regularly Monitor and Test Networks	110	February 20, 2023
11.3.4.1 Additional requirement for service providers only: If segmentation is used, confirm PCI DSS scope by performing penetration testing on segmentation controls at least every six months and after any changes to segmentation controls/methods Regularly Monitor and Test Networks	92	February 20, 2023
11.3.4 If segmentation is used to isolate the CDE from other networks, perform penetration tests at least annually and after any changes to segmentation controls/methods to verify Regularly Monitor and Test Networks	86	February 20, 2023
11.3.3 Exploitable vulnerabilities found during penetration testing are corrected and testing is repeated to verify the corrections Regularly Monitor and Test Networks	97	February 20, 2023
11.3.2 Perform internal penetration testing at least annually and after any significant infrastructure or application upgrade or modification Regularly Monitor and Test Networks	77	February 20, 2023
11.3.1 Perform external penetration testing at least annually and after any significant infrastructure or application upgrade or modification Regularly Monitor and Test Networks	74	February 20, 2023
11.3 Implement a methodology for penetration testing that includes the following: Regularly Monitor and Test Networks	110	February 20, 2023
11.2.3 Perform internal and external scans, and rescans as needed, after any significant change. Scans must be performed by qualified personnel Regularly Monitor and Test Networks	99	February 20, 2023
11.2.2 Perform quarterly external vulnerability scans, via an Approved Scanning Vendor (ASV) approved by the Payment Card Industry Security Standards Council (PCI SSC). Perform rescans as needed, until passing scans are achieved Regularly Monitor and Test Networks	253	February 20, 2023
11.2.1 Perform quarterly internal vulnerability scans. Address vulnerabilities and perform rescans to verify all “high risk” vulnerabilities are resolved in accordance with the entity’s vulnerability ranking (per Requirement 6.1) Regularly Monitor and Test Networks	80	February 20, 2023
11.2 Run internal and external network vulnerability scans at least quarterly and after any significant change in the network (such as new system component installations, changes in network topology, firewall rule modifications, product upgrades) Regularly Monitor and Test Networks	103	February 20, 2023
11.1.2 Implement incident response procedures in the event unauthorized wireless access points are detected Regularly Monitor and Test Networks	100	February 20, 2023