866.254.0000
Talk with a Specialist
Services
SOC & Attestations
Payment Card Assessments
ISO Certifications
Privacy Assessments
Federal Assessments
Healthcare Assessments
Penetration Testing
Cybersecurity Assessments
Crypto and Digital Trust
Schellman Training
ESG & Sustainability
AI Services
View All Services
Industry Solutions
Cloud Computing & Data Centers Meet a broad range of regulatory and industry compliance mandates for your customers
Financial Services & Fintech Cybersecurity assessments for both the banking industry and the financial service providers
Healthcare Reporting to manage risk and adhere to applicable laws and regulations
Payment Card Processing Validate compliance with the various forms of the PCI DSS
US Government Achieve authorization to work for federal agencies, DoD, and the associated contractor base
Higher Education & Research Laboratories Reinforce your commitment to securing your student's and institution's data.
View All Industry Solutions
Learning Center
Our Technology
About Us
Leadership Team
Careers
Corporate Social Responsibility
Strategic Partnerships
Visit About Us
Services
Services
View All Services
SOC & Attestations
SOC & Attestations
Payment Card Assessments
Payment Card Assessments
ISO Certifications
ISO Certifications
Privacy Assessments
Privacy Assessments
Federal Assessments
Federal Assessments
Healthcare Assessments
Healthcare Assessments
Penetration Testing
Penetration Testing
Cybersecurity Assessments
Cybersecurity Assessments
Crypto and Digital Trust
Crypto and Digital Trust
Schellman Training
Schellman Training
ESG & Sustainability
ESG & Sustainability
AI Services
AI Services
Industry Solutions
Industry Solutions
View All Industry Solutions
Cloud Computing & Data Centers
Cloud Computing & Data Centers
Financial Services & Fintech
Financial Services & Fintech
Healthcare
Healthcare
Payment Card Processing
Payment Card Processing
US Government
US Government
Higher Education & Research Laboratories
Higher Education & Research Laboratories
Learning Center
Our Technology
About Us
About Us
About Schellman
Leadership Team
Leadership Team
Careers
Careers
Corporate Social Responsibility
Corporate Social Responsibility
Strategic Partnerships
Strategic Partnerships
Talk with a Specialist

«  View All Posts

How to Define Time in PCI DSS 4.0 Blog Feature
Matt Howard

By: Matt Howard

Print/Save as PDF

How to Define Time in PCI DSS 4.0

Payment Card Assessments

 

In Marvel Comics, Dr. Strange is the keeper of the Time Stone, an ancient artifact that holds dominion over the forces of time. If you’ve delved into comic book lore—or worse, watched any of the Marvel Cinematic Universe films—you know that trying to affect set timelines can get messy fast.

 

Dr. Strange is charged with keeping mankind on the set path forward—away from deviations that could alter history and devastate the universe—and he’s able to do that because he’s the Sorcerer Supreme.

 

But you’re not, and now that this new version of the PCI DSS has dropped, you’re probably wondering how exactly you too can keep your timeline tidy so that your future assessments go as planned.

 

After all, you don’t have magic powers or a mystical, almighty stone at your disposal.

 

But you do have us. As PCI QSAs, we’ve spent time dissecting this new version of payment card security’s flagship standard and we want to help you understand it as best we can.

 

In this article, we’ll focus specifically on breaking down the new explanations and definitions of timeframes in the PCI DSS v4.0 Standard. We’ll help you unravel the new, more improved guidance around time so that you’ll be certain what’s expected going forward.

 

Understanding the New Terminology in PCI DSS v4.0

Time-defining words still exist in this new standard—in fact even more so—but we now have much better guidance on their intended meaning. Let’s explore these three terms more deeply:

  • “Periodically”
  • “Immediately”
  • “Promptly”

What Does “Periodically” Mean in PCI DSS 4.0?

In contrast with v3.2.1 where it appeared just nine times, the word “periodically” now appears over 40 times in PCI DSS v4.0.

 

That’s because of the flexibility now permitted under the new, more risk-based “Customized Approach” to PCI compliance. If you take that tack, you will define the frequency of certain security-related tasks as appropriate for your business.

 

It’s nice since that flexibility acknowledges that security solutions are not one-size-fits-all—as such, the cadence of certain security-related tasks may vary across organizations while still meeting requirements.

 

Some examples of “periodically” in the new requirements:

 

  • 2.4 - (Customized Approach) Account privilege assignments are verified periodically by management as correct, and nonconformities are remediated.
  • 6.3 - Application passwords are changed periodically at the frequency defined in the entity’s risk analysis.
  • 10.2 (Customized Approach) - The incident response plan is kept current and tested periodically.

The key is, defining “periodically” will be at your discretion.

This responsibility shouldn’t be taken lightly—the standard also requires that you be able to demonstrate that the frequency you define “is appropriate for the activity to be effective and to meet the intent of the requirement.”

Once you’ve decided, your definition should be documented in your risk analysis and security policy as required in 12.3.1.  

When you do opt to use “periodically,” the PCI Council did also provide additional guidance you should adhere to for any process defined that way:

  • You should be promptly notified any time an activity is not performed per its defined (“periodic”) schedule.
  • You should determine the events that led to missing a scheduled activity.
  • You should perform the activity as soon as possible after it is missed and either get back on schedule or establish a new schedule.
  • You should produce documentation that shows the above elements occurred.

So while the new version of the standard is yielding some control back to organizations, ensure you take care when using “periodically”—and make sure to follow the required documentation requirements every time you do.

 

What Does “Immediately” Mean in PCI DSS 4.0?

In v4.0, requirement 8.2.5 states that access for terminated users shall be “immediately” revoked.

 

That’s a reasonable statement that probably means “pretty darn quickly” to most of us, but at face value, there’s nothing definitive as to what “immediately” should mean in the context of a time-sensitive activity—including the revoking of access for a terminated user.

 

Similarly, requirement 12.10 requires that “suspected and confirmed security incidents that could impact the CDE are responded to immediately.” But again, without a definition for “immediately,” you have room for debate where you don’t want room for debate.

 

That’s not the case any longer. Immediately is now defined as “without delay. In real-time or near real-time.”   You can find that in the new Section 7 table of the v4.0 PCI DSS standard dedicated to timeframes.

 

It means you need to revoke access for terminated users in near real-time. Respond to security alerts that impact the cardholder data environment (CDE) without delay. The new definition is not intended to mean “by tomorrow” or even “in a couple of hours”—it really does mean immediately.

 

“Immediately” shows up quite a bit in the new standard, around 21 times, but the new standard has documented that the word does mean just what you thought it meant all along. Now that it’s stated clearly, you’ll need to ensure you follow the definition.

 

What Does “Promptly” Mean in PCI DSS 4.0?

 

If “immediately” means without delay, then version 4.0 indicates that the use of “promptly” would instead mean the issue at hand is not quite as hot as “immediately” but still needs to be addressed “as soon as reasonably possible.”

Tasks that might require some level of investigation, planning, and testing are usually associated with the “promptly” timeframe. Some examples of “promptly” in v4.0 requirements:

  • 3.1.b Examine system components and logs, to verify that the anti-malware solution(s) and definitions are current and have been promptly deployed.
  • 3.3 Audit log files, including those for external-facing technologies, are promptly backed up to a secure, central, internal log server(s) or other media that is difficult to modify.
  • 7 Failures of critical security control systems are detected, reported, and responded to promptly.

“Promptly” appears around 23 times in v4.0. While not quite as pressing as items that need handling “immediately,” we recommend getting in the habit of addressing these labeled “promptly” in as timely a manner as possible.

Moving Forward with PCI DSS 4.0

While the v3.2.1 version of the standard allowed much room for debate—and potential risk exposure—over words like “immediately,” “periodically,” and “promptly” when discussing critical requirement details, the updated v4.0 version does not.

 

Instead, PCI DSS 4.0 does a great job of pairing up requirements with the appropriate, clearly-defined timeframe. Now that you’ve read our breakdown of them all, you’re in a better position going into your extended transition to this new standard.

 

For your convenience, here’s the full list of timeframe definitions in PCI DSS 4.0:

How to Define Time in PCI DSS 4.0 Table

As you continue to plan for your version 4.0 experience, read our other content on the new update to bolster and simplify your preparation:

 

In the meantime, please also feel free to reach out to us at pci@schellman.com or through our contact us page. If you have any specific questions regarding the new standard, we can certainly set up a call to speak more about your concerns.

About Matt Howard

Matt Howard is a Senior Associate with Schellman focused primarily on PCI assessments for organizations across various industries. Prior to working at Schellman, Matt ran a Security Operations Center (SOC) helping various organizations improve their security posture while preventing, detecting, analyzing, and responding to cybersecurity incidents.

4010 W Boy Scout Boulevard
Suite 600
Tampa, FL 33607

U.S. 1.866.254.0000

Outside the U.S.
1.813.288.8833

Resources
Company
Stay Up-to-Date

Sign up to receive Schellman's Weekly Ready delivered every Friday morning.

© SchellmanPrivacy PolicyTerms of Use

“Schellman” is the brand name under which Schellman & Company, LLC and Schellman Compliance, LLC provide professional services. Schellman & Company, LLC and Schellman Compliance, LLC practice as an alternative practice structure in accordance with the AICPA Code of Professional Conduct and applicable law, regulations and professional standards. Schellman & Company, LLC is a licensed certified public accounting firm (Florida license number AD62941) registered with the Public Company Accounting Oversight Board (PCAOB) that provides attest services to its clients, and Schellman Compliance, LLC provides nonattest cybersecurity and compliance professional services to its clients. Schellman Compliance, LLC is not a licensed CPA firm. Schellman & Company, LLC and Schellman Compliance, LLC are independently owned and are not liable for the services provided by any other entity providing services under the Schellman brand. Our use of the terms “our firm” and “we” and “us” and terms of similar import, denote the alternative practice structure conducted by Schellman & Company, LLC and Schellman Compliance, LLC.