Service Providers must conduct quarterly inspections based on PCI DSS v4.0 provision 12.4.2 (PCI DSS v3.2.1 – 12.11), to confirm that the company’s security policies and procedures, etc. are substantially followed and perform regular checks of various control measures.

 

PCI DSS v4.0 provision 12.4.2 lists 5 inspection items, including but not limited to:

a) Daily log reviews

Inspections of daily logs should be conducted every 3 months to ensure the operations are completed as scheduled.

In the requirements of PCI DSS v4.0, the review is mainly based on the “automated method”, so mechanisms e.g., SIEM and Log Analyzer should be configured in the environment to ensure that the target logs can be regularly reviewed by automated mechanisms.

b) Configuration reviews for network security controls

For network security control equipment (e.g., firewalls), a Rule-set review is required every six months to confirm whether relevant personnel have performed the expected tasks, whether the Rule-set implementation has been followed by company regulations, conducting approvals and relevant tests, etc.

c) Applying configuration standards to the new system

With any newly added system and devices in the environment, the established configuration standards should be applied as well as conducted quarterly inspection of network devices, host environment (operating system), database, etc.

d) Responding to security alerts

Alerts of various security incidents should be handled and responded to in accordance with the company’s established incident/incident response process (e.g., Incident Response Plan IRP).

e) Change management procedures

For various types of system equipment and application systems, if there is a need for change or deployment, the deployment/release process should proceed according to the company’s established rules.

 

In 12.4.2.1, it is also required:

a) These aforementioned reviews must leave review records.

b) If there are non-conformities that are not reviewed, strengthening or compensatory measures must be taken.

c) It needs to be reviewed and signed by the person responsible for the company’s PCI DSS compliance (e.g., the main contact of Compliance, the responsible person assigned by the senior manager, PM, etc.).

In brief, PCI DSS v4.0 provision 12.4.2 mainly requires “compliance”. Various established measures, processes, policies, etc. must be followed to ensure the company’s compliance operations are more stable and complete.