PCI DSS 1.2.7: Review NSC Configurations Every Six Months
Network Security Configuration (NSC) reviews are a foundational PCI DSS requirement that prevents security drift and configuration gaps. Performing these audits every six months ensures your network defenses remain relevant and effective against evolving threats. This guide shows you exactly what to review and how to document compliance.
What this means
PCI DSS 1.2.7 requires organizations to systematically review all network security component configurations at least twice per year. This control ensures that configurations remain appropriate for your current environment, threat landscape, and business needs. Reviews must validate that security controls are still functioning as intended and haven't been inadvertently weakened or become obsolete.
How to comply
- 1.Schedule NSC configuration reviews on a fixed calendar—typically every 6 months (e.g., January and July)
- 2.Document the scope of review: which systems, network segments, and security appliances are included
- 3.Compare current configurations against your approved baseline and security policy
- 4.Test that security rules, access controls, and firewall rules still align with business requirements
- 5.Identify any unapproved changes, drift, or deprecated settings that need remediation
- 6.Document findings, including what was reviewed, who performed the review, and the date
- 7.Record any configuration changes needed and establish timelines for remediation
- 8.Obtain management sign-off confirming the review was completed and findings were addressed
Evidence auditors look for
- NSC configuration audit reports dated with reviewer name and scope
- Baseline configuration documentation compared against current state
- Firewall rule audits showing rules reviewed and their business justification
- Network segmentation validation confirming segregation controls are active
- Security appliance configuration exports with review notation and approval
- Remediation tickets for configuration gaps identified during review
- Management sign-off or approval records for completed reviews
Frequently asked questions
When will FAQs be available?
The FAQ for this control is currently being prepared.
GRCWatch automatically tracks your NSC inventory and alerts you when 6-month review deadlines approach, streamlining the scheduling and documentation of configuration audits without manual tracking.
See how GRCWatch handles this control automatically
Start free trial