GRCWatch
Sign inStart free trial

PCI DSS 10.6.3: Protecting Time Synchronization Settings and Data

Time synchronization is critical for audit trails and detecting unauthorized access in payment environments. PCI DSS 10.6.3 requires organizations to protect both the settings that control time synchronization and the data those systems generate. Without proper protection, attackers can manipulate timestamps to hide malicious activity or cover their tracks.

What this means

This control ensures that time synchronization configurations and historical time data cannot be altered by unauthorized users. Time synchronization systems provide the backbone for reliable audit logging—if timestamps are compromised, your entire audit trail becomes unreliable. The control applies to all systems involved in cardholder data processing and storage, including servers, databases, network devices, and point-of-sale systems.

How to comply

  1. 1.Identify all systems that require time synchronization across your cardholder data environment
  2. 2.Implement centralized time synchronization using NTP (Network Time Protocol) or similar mechanisms
  3. 3.Restrict administrative access to time synchronization settings using role-based access controls
  4. 4.Implement change management procedures that require approval before modifying time settings
  5. 5.Log all changes to time synchronization configurations with audit trails that include who made changes and when
  6. 6.Monitor time synchronization across systems to detect drift or unauthorized modifications
  7. 7.Use cryptographic methods to protect time synchronization data in transit and at rest
  8. 8.Regularly audit and test time synchronization controls to verify they remain effective

Evidence auditors look for

  • NTP server configuration documentation with access controls defined
  • System audit logs showing who accessed time synchronization settings and when
  • Change management records approving all time configuration modifications
  • Monitoring dashboards tracking time synchronization status across systems
  • Documented procedures for restricted administrative access to time settings
  • Cryptographic certificates or keys protecting time synchronization protocols
  • Test results verifying time synchronization accuracy across the environment
  • Network segmentation rules isolating time synchronization infrastructure

Frequently asked questions

When will FAQs be available?

The FAQ for this control is currently being prepared.

GRCWatch automates the discovery and continuous monitoring of time synchronization settings across your entire environment, tracks all configuration changes with audit evidence, and flags drift or unauthorized modifications in real-time—eliminating manual verification work for PCI audits.

See how GRCWatch handles this control automatically

Start free trial

Related controls

PCI DSS 10.6.1PCI DSS 10.6.2PCI DSS 10.1PCI DSS 8.1