Critical patches within 30 days for CDE
Demonstrate that all systems within the Cardholder Data Environment receive critical security patches within 30 days of vendor release through documented vulnerability management processes.
Description
What this control does
This control requires all critical-severity patches and security updates to be applied to systems within the Cardholder Data Environment (CDE) within 30 calendar days of vendor release. Organizations must maintain a vulnerability management process that identifies, prioritizes, and tracks critical patches from vendors for operating systems, databases, network devices, payment applications, and all CDE components. Timely patching prevents attackers from exploiting publicly disclosed vulnerabilities that have available fixes, reducing the window of exposure for systems handling, processing, or transmitting payment card data.
Control objective
What auditing this proves
Demonstrate that all systems within the Cardholder Data Environment receive critical security patches within 30 days of vendor release through documented vulnerability management processes.
Associated risks
Risks this control addresses
- Attackers exploit publicly disclosed critical vulnerabilities with available proof-of-concept code to gain unauthorized access to CDE systems
- Remote code execution on unpatched CDE servers leading to cardholder data exfiltration
- Privilege escalation through unpatched operating system vulnerabilities allowing lateral movement within the CDE
- Payment application vulnerabilities enabling transaction manipulation or card data theft
- Network device vulnerabilities allowing attacker persistence and bypass of segmentation controls
- Ransomware deployment exploiting unpatched critical flaws in CDE infrastructure
- Regulatory non-compliance resulting in loss of payment processing privileges and financial penalties
Testing procedure
How an auditor verifies this control
- Obtain the organization's documented patch management policy and procedures specific to CDE systems, including the 30-day critical patch requirement
- Retrieve the current inventory of all in-scope CDE systems including operating systems, applications, databases, and network devices with version information
- Review vulnerability scanning reports or patch management system outputs from the past 90 days identifying critical vulnerabilities affecting CDE assets
- Select a sample of 15-25 critical patches released by vendors during the audit lookback period applicable to CDE systems
- For each sampled patch, obtain documentation showing the vendor release date, identification date, approval records, deployment date, and verification evidence
- Calculate the elapsed time between vendor release date and documented deployment completion for each sampled patch
- Review exception records for any critical patches exceeding 30 days, including risk acceptance documentation, compensating controls, and remediation timelines
- Verify patch deployment validation evidence through system logs, configuration management database records, or vulnerability scan results confirming patch installation
Where this control is tested