A3.3.3 Reviews are performed at least once every three months to verify BAU activities are being followed

Defined Approach Requirements

A3.3.3 Reviews are performed at least once every three months to verify BAU activities are being followed. Reviews are performed by personnel assigned to the PCI DSS compliance program (as identified in A3.1.3), and include:

• Confirmation that all BAU activities, including A3.2.2, A3.2.6, and A3.3.1, are being performed.
• Confirmation that personnel are following security policies and operational procedures (for example, daily log reviews, ruleset reviews for network security controls, configuration standards for new systems).
• Documenting how the reviews were completed, including how all BAU activities were verified as being in place.
• Collection of documented evidence as required for the annual PCI DSS assessment.
• Review and sign-off of results by personnel assigned responsibility for the PCI DSS compliance program, as identified in A3.1.3.
• Retention of records and documentation for at least 12 months, covering all BAU activities.

PCI DSS Reference: Requirements 1-12

Customized Approach Objective

This requirement is not eligible for the customized approach.

Defined Approach Testing Procedures

A3.3.3.a Examine policies and procedures to verify that processes are defined for reviewing and verifying BAU activities in accordance with all elements specified in this requirement.

A3.3.3.b Interview responsible personnel and examine records of reviews to verify that:

• Reviews are performed by personnel assigned to the PCI DSS compliance program.
• Reviews are performed at least once every three months.

Purpose

Regularly confirming that security policies and procedures are being followed provides assurance that the expected controls are active and working as intended. The objective of these reviews is not to reperform other PCI DSS requirements, but to confirm that security activities are being performed on an ongoing basis.

Good Practice

These reviews can also be used to verify that appropriate evidence is being maintained—for example, audit logs, vulnerability scan reports, reviews of network security control rulesets—to assist in the entity's preparation for its next PCI DSS assessment.

Examples

Looking at Requirement 1.2.7 as one example, Requirement A3.3.3 is met by confirming, at least once every three months, that reviews of configurations of network security controls have occurred at the required frequency. On the other hand, Requirement 1.2.7 is met by reviewing those configurations as specified in the requirement.