How to Define Time in PCI DSS 4.0
In Marvel Comics, Dr. Strange is the keeper of the Time Stone, an ancient artifact that holds dominion over the forces of time. If you’ve delved into comic book lore—or worse, watched any of the Marvel Cinematic Universe films—you know that trying to affect set timelines can get messy fast.
Dr. Strange is charged with keeping mankind on the set path forward—away from deviations that could alter history and devastate the universe—and he’s able to do that because he’s the Sorcerer Supreme.
But you’re not, and now that this new version of the PCI DSS has dropped, you’re probably wondering how exactly you too can keep your timeline tidy so that your future assessments go as planned.
After all, you don’t have magic powers or a mystical, almighty stone at your disposal.
But you do have us. As PCI QSAs, we’ve spent time dissecting this new version of payment card security’s flagship standard and we want to help you understand it as best we can.
In this article, we’ll focus specifically on breaking down the new explanations and definitions of timeframes in the PCI DSS v4.0 Standard. We’ll help you unravel the new, more improved guidance around time so that you’ll be certain what’s expected going forward.
Understanding the New Terminology in PCI DSS v4.0
Time-defining words still exist in this new standard—in fact even more so—but we now have much better guidance on their intended meaning. Let’s explore these three terms more deeply:
What Does “Periodically” Mean in PCI DSS 4.0?
In contrast with v3.2.1 where it appeared just nine times, the word “periodically” now appears over 40 times in PCI DSS v4.0.
That’s because of the flexibility now permitted under the new, more risk-based “Customized Approach” to PCI compliance. If you take that tack, you will define the frequency of certain security-related tasks as appropriate for your business.
It’s nice since that flexibility acknowledges that security solutions are not one-size-fits-all—as such, the cadence of certain security-related tasks may vary across organizations while still meeting requirements.
Some examples of “periodically” in the new requirements:
- 2.4 - (Customized Approach) Account privilege assignments are verified periodically by management as correct, and nonconformities are remediated.
- 6.3 - Application passwords are changed periodically at the frequency defined in the entity’s risk analysis.
- 10.2 (Customized Approach) - The incident response plan is kept current and tested periodically.
The key is, defining “periodically” will be at your discretion.
This responsibility shouldn’t be taken lightly—the standard also requires that you be able to demonstrate that the frequency you define “is appropriate for the activity to be effective and to meet the intent of the requirement.”
Once you’ve decided, your definition should be documented in your risk analysis and security policy as required in 12.3.1.
When you do opt to use “periodically,” the PCI Council did also provide additional guidance you should adhere to for any process defined that way:
- You should be promptly notified any time an activity is not performed per its defined (“periodic”) schedule.
- You should determine the events that led to missing a scheduled activity.
- You should perform the activity as soon as possible after it is missed and either get back on schedule or establish a new schedule.
- You should produce documentation that shows the above elements occurred.
So while the new version of the standard is yielding some control back to organizations, ensure you take care when using “periodically”—and make sure to follow the required documentation requirements every time you do.
What Does “Immediately” Mean in PCI DSS 4.0?
In v4.0, requirement 8.2.5 states that access for terminated users shall be “immediately” revoked.
That’s a reasonable statement that probably means “pretty darn quickly” to most of us, but at face value, there’s nothing definitive as to what “immediately” should mean in the context of a time-sensitive activity—including the revoking of access for a terminated user.
Similarly, requirement 12.10 requires that “suspected and confirmed security incidents that could impact the CDE are responded to immediately.” But again, without a definition for “immediately,” you have room for debate where you don’t want room for debate.
That’s not the case any longer. Immediately is now defined as “without delay. In real-time or near real-time.” You can find that in the new Section 7 table of the v4.0 PCI DSS standard dedicated to timeframes.
It means you need to revoke access for terminated users in near real-time. Respond to security alerts that impact the cardholder data environment (CDE) without delay. The new definition is not intended to mean “by tomorrow” or even “in a couple of hours”—it really does mean immediately.
“Immediately” shows up quite a bit in the new standard, around 21 times, but the new standard has documented that the word does mean just what you thought it meant all along. Now that it’s stated clearly, you’ll need to ensure you follow the definition.
What Does “Promptly” Mean in PCI DSS 4.0?
If “immediately” means without delay, then version 4.0 indicates that the use of “promptly” would instead mean the issue at hand is not quite as hot as “immediately” but still needs to be addressed “as soon as reasonably possible.”
Tasks that might require some level of investigation, planning, and testing are usually associated with the “promptly” timeframe. Some examples of “promptly” in v4.0 requirements:
- 3.1.b Examine system components and logs, to verify that the anti-malware solution(s) and definitions are current and have been promptly deployed.
- 3.3 Audit log files, including those for external-facing technologies, are promptly backed up to a secure, central, internal log server(s) or other media that is difficult to modify.
- 7 Failures of critical security control systems are detected, reported, and responded to promptly.
“Promptly” appears around 23 times in v4.0. While not quite as pressing as items that need handling “immediately,” we recommend getting in the habit of addressing these labeled “promptly” in as timely a manner as possible.
Moving Forward with PCI DSS 4.0
While the v3.2.1 version of the standard allowed much room for debate—and potential risk exposure—over words like “immediately,” “periodically,” and “promptly” when discussing critical requirement details, the updated v4.0 version does not.
Instead, PCI DSS 4.0 does a great job of pairing up requirements with the appropriate, clearly-defined timeframe. Now that you’ve read our breakdown of them all, you’re in a better position going into your extended transition to this new standard.
For your convenience, here’s the full list of timeframe definitions in PCI DSS 4.0:
As you continue to plan for your version 4.0 experience, read our other content on the new update to bolster and simplify your preparation:
- What Service Providers Should Know About PCI DSS v4.0
- Multi-Factor Authentication in PCI DSS v4.0
- How to Keep Legacy Systems Compliant Under PCI DSS v4.0
In the meantime, please also feel free to reach out to us at firstname.lastname@example.org or through our contact us page. If you have any specific questions regarding the new standard, we can certainly set up a call to speak more about your concerns.
About Matt Howard
Matt Howard is a Senior Associate with Schellman focused primarily on PCI assessments for organizations across various industries. Prior to working at Schellman, Matt ran a Security Operations Center (SOC) helping various organizations improve their security posture while preventing, detecting, analyzing, and responding to cybersecurity incidents.