A3.2.2.1 Upon completion of a change, all relevant PCI DSS requirements are confirmed to be implemented on all new or changed systems and networks, and documentation is updated as applicable.

Defined Approach Requirements

A3.2.2.1 Upon completion of a change, all relevant PCI DSS requirements are confirmed to be implemented on all new or changed systems and networks, and documentation is updated as applicable.

PCI DSS Reference: Scope of PCI DSS Requirements; Requirement 1-12

Customized Approach Objective

This requirement is not eligible for the customized approach.

Defined Approach Testing Procedures

A3.2.2.1 Examine change records and the affected systems/networks, and interview personnel to verify that all relevant PCI DSS requirements were confirmed to be implemented and documentation updated as part of the change.

Purpose

It is important to have processes to analyze all changes made to systems or networks, to ensure that all appropriate PCI DSS controls are applied to any systems or networks added to the in-scope environment due to a change.

Building this validation into change management processes helps ensure that device inventories and configuration standards are kept up to date, and security controls are applied where needed.

Good Practice

A change management process should include supporting evidence that PCI DSS requirements are implemented or preserved through an iterative process.

Examples

PCI DSS requirements that should be verified include, but are not limited to:

• Network diagrams are updated to reflect changes.
• Systems are configured per configuration standards, with all default passwords changed and unnecessary services disabled.
• Systems are protected with required controls—for example, file integrity monitoring, antimalware, patches, and audit logging.
• Sensitive authentication data is not stored, and all account data storage is documented and incorporated into data-retention policy and procedures.
• New systems are included in the quarterly vulnerability scanning process.