WithPCI Logo
WithPCI.com

10.7.2 Failures of critical security control systems are detected, alerted, and addressed promptly

Original requirement from PCI DSS v4.0.1

Defined Approach Requirements

10.7.2 Failures of critical security control systems are detected, alerted, and addressed promptly, including but not limited to failure of the following critical security control systems:

  • Network security controls.
  • IDS/IPS.
  • Change-detection mechanisms.
  • Anti-malware solutions.
  • Physical access controls.
  • Logical access controls.
  • Audit logging mechanisms.
  • Segmentation controls (if used).
  • Audit log review mechanisms.
  • Automated security testing tools (if used).

Customized Approach Objective

Failures in critical security control systems are promptly identified and addressed.

Applicability Notes

This requirement applies to all entities, including service providers, and will supersede Requirement 10.7.1 as of 31 March 2025. It includes two additional critical security control systems not in Requirement 10.7.1.

This requirement is a best practice until 31 March 2025, after which it will be required and must be fully considered during a PCI DSS assessment.

Defined Approach Testing Procedures

10.7.2.a Examine documentation to verify that processes are defined for the prompt detection and addressing of failures of critical security control systems, including but not limited to failure of all elements specified in this requirement.

10.7.2.b Observe detection and alerting processes and interview personnel to verify that failures of critical security control systems are detected and reported, and that failure of a critical security control results in the generation of an alert.

Purpose

Without formal processes to detect and alert when critical security controls fail, failures may go undetected for extended periods and provide attackers ample time to compromise system components and steal account data from the CDE.

Good Practice

The specific types of failures may vary, depending on the function of the device system component and technology in use. However, typical failures include a system no longer performing its security function or not functioning in its intended manner—for example, a firewall erasing its rules or going offline.

purpose

Review failures in log collection and alerting mechanisms.

compliance strategies

  • Monitor log pipeline health
  • Alert on collection failures

typical policies

  • Log Failure Response Policy

common pitfalls

  • Missed log pipeline outages
  • No alert for log failures

type

Technical Control

difficulty

Moderate

key risks

  • Gaps in security monitoring

recommendations

  • Automate health checks and alerting

Eligible SAQ

  • SAQ-D MERCHANT
  • SAQ-D SERVICE PROVIDER

Your perspective on this PCI DSS requirement matters! Share your implementation experiences, challenges, or questions below. Your insights help other organizations improve their compliance journey and build a stronger security community.Comment Policy