PCI‐DSS retention notes and vulnerability notes - dishplate/blog GitHub Wiki

Retention notes

PCI-DSS

10.5 Audit log history is retained and available for analysis.
10.5.1.a Examine documentation to verify that the
following is defined:
• Audit log retention policies.
• Procedures for retaining audit log history for at
least 12 months, with at least the most recent
three months immediately available online.

10.5.1.b Examine configurations of audit log
history, interview personnel and examine audit logs
to verify that audit logs history is retained for at
least 12 months.

11.4 External and internal penetration testing is regularly performed, and
exploitable vulnerabilities and security weaknesses are corrected.
Review and consideration of threats and
vulnerabilities experienced in the last 12 months.
11.4.1 A penetration testing methodology is defined,
documented, and implemented by the entity, and
includes:
Retention of penetration testing results and
remediation activities results for at least 12
months.

Documented approach to assessing and
addressing the risk posed by exploitable
vulnerabilities and security weaknesses found
during penetration testing

6.3 Security vulnerabilities are identified and addressed.

6.3.3 All system components are protected from
known vulnerabilities by installing applicable
security patches/updates

6.4.1 For public-facing web applications, new threats
and vulnerabilities are addressed on an ongoing
basis and these applications are protected against
known attacks 

6.5.2 Upon completion of a significant change, all
applicable PCI DSS requirements are confirmed to
be in place on all new or changed systems and
networks, and documentation is updated as
applicable.
Systems are scanned for internal and external
vulnerabilities after significant changes per
Requirements 11.3.1.3 and 11.3.2.1.

11.3 External and internal vulnerabilities are regularly identified, prioritized, and addressed.