What Does “Periodically” Actually Mean? PCI DSS v4.0 Specifies Timeframes

26. April 2024

“Promptly”, “quarterly”, “periodically”: Many PCI DSS requirements demand that measures be implemented within a specified timeframe. While version v3.2.1 of the PCI DSS left some room for interpretation here, version v4.0 contains specific explanations for the first time. This way, the Payment Card Industry Security Standards Council (PCI SSC) aims to prevent discussions and disagreements between organizations, their assessors and credit card organizations.

But what exactly does “periodically” mean? What happens if your company exceeds a specified timeframe? And what do you need to consider in your first PCI DSS assessment? Find answers to these questions in this article.

Timeframes in PCI DSS v4.0

The Council requires that activities are carried out at intervals that are as close as possible to the specified time frame without exceeding it. It only sets minimum requirements - you are of course free to carry out measures more frequently if necessary.

Here is a complete overview of the new timeframes defined in PCI DSS v4.0:

ImmediatelyWithout delay. In real time or near real time.
PromptlyAs soon as reasonably possible.
DailyEvery day of the year (not only on business days).
WeeklyAt least once every seven days.
MonthlyAt least once every 30 to 31 days, or on the nth day of the month.
Every three months
(“quarterly”)
At least once every 90 to 92 days, or on the nth day of each third month.
Every six monthsAt least once every 180 to 184 days, or on the nth day of each sixth month.
Every 12 months
(“annually”)
At least once every 365 (or 366 for leap years) days or on the same date every year.
PeriodicallyFrequency of occurrence is at the organization's discretion and is documented and supported by the organization’s risk analysis. The organization must demonstrate that the frequency is appropriate for the activity to be effective and to meet the intent of the requirement.
Significant changeCertain requirements relate to significant changes to a company's environment. Exactly what constitutes a significant change depends heavily on the company and its environment. Specific activities have a potential impact on the security of the CDE (Cardholder Data Environment).
 At least the following activities are to be assessed as significant changes:
- New hardware, software, or networking equipment added to the CDE.
- Any replacement or major upgrades of hardware and software in the CDE.
- Any changes in the flow or storage of account data.
- Any changes to the boundary of the CDE and/or to the scope of the PCI DSS assessment.
- Any changes to the underlying supporting infrastructure of the CDE (including, but not limited to, changes to directory services, time servers, logging, and monitoring).
- Any changes to third party vendors/service providers (or services provided) that support the CDE or meet PCI DSS requirements on behalf of the entity
Source: PCI DSS v4.0, p. 25f.

A major change: You can define “periodically" at your discretion

Where the PCI DSS does not define a minimum frequency, periodic fulfillment of certain requirements is permitted. The reason for this flexibility is the new, more risk-based approach to PCI compliance. You determine the frequency of periodic activities in your organization, depending on the risk, the business, and the processes. Your organization's security policy and a targeted risk analysis in accordance with PCI DSS Requirement 12.3.1 will help you to determine an appropriate frequency. You must demonstrate that it is sufficient to fulfill the purpose of the requirements.

What happens if my organization exceeds the deadline for a specified activity?

Generally, your organization should implement a documented process not only for activities that are performed at specific points in time but also for activities that are performed periodically. This process includes at least the following steps:

If you have established this process and follow its steps if you should ever exceed the deadline for an activity, your “compliant” status does not automatically expire.

However, if no such process is in place and/or the activity was not performed as planned due to oversight, mismanagement or lack of monitoring, you have not met the relevant requirement. In such a case, you can still comply with the requirement if your organization

  1. documents or reconfirms the previously described process to ensure that the planned activity is performed on time,
  2. redefines the schedule,
  3. provides evidence that the planned action has been performed at least once according to its schedule.

Timeframe for an organization's initial PCI DSS assessment

If you are certified for the first time according to PCI DSS, you do not have to demonstrate that you have already performed activities for each specified timeframe in the previous year. Your PCI assessors will want to validate only the following aspects:

  1. The activity was performed in compliance with the requirements within the last timeframe (e.g. the last three-month or six-month period)
  2. Your organization has documented policies and procedures for the continuing implementation of the activity within the defined timeframe

For subsequent years after the first assessment, the activity must have been performed at least once within each required timeframe.


Is your first PCI DSS v4.0 assessment coming up?

In our free usd webinar on Targeted Risk Analysis, our colleague Tobias Weber will take you on a deep dive into the topic. You can rewatch the webinar here.

For more information about PCI DSS v4.0, check out our blog posts and webinar recordings. Do you have further questions? Do not hesitate to contact us.

Tobias Weber

Also interesting:

DORA Countdown: One Month Left Until the Deadline

DORA Countdown: One Month Left Until the Deadline

DORA, the Digital Operational Resilience Act, will fully apply as of 17 January 2025. We have summarized everything you need to know about the EU regulation, preparation and best practices from our news blog.

Sunset of PCI DSS v4.0 on 31 December 2024: Get Ready!

Sunset of PCI DSS v4.0 on 31 December 2024: Get Ready!

PCI DSS v4.0: In March 2024, version 4.0 of the Payment Card Industry Data Security Standard became mandatory after a two-year transition phase. Just a few months later, version 4.0.1 was released as a minor update of the standard, which will become mandatory on...

Top 3 Vulnerabilities in SSO Pentests

Top 3 Vulnerabilities in SSO Pentests

During their penetration tests (pentests), our security analysts at usd HeroLab repeatedly uncover vulnerabilities that pose significant risks to corporate security. They increasingly encounter the same vulnerabilities. Our blog series "Top 3 Vulnerabilities" presents...

Categories

Categories