PCI DSS 10.7.3: Restoring Security Functions After Critical Failures
When critical security controls fail, every minute of downtime increases risk and compliance exposure. PCI DSS 10.7.3 requires you to respond promptly to failures, restore functions quickly, and maintain complete documentation of what happened and how long it took. This control ensures your organization isn't blind to threats during security system outages.
What this means
This control mandates that when any critical security function fails—such as logging systems, intrusion detection, firewalls, or authentication mechanisms—your organization must detect the failure, respond immediately, restore normal operation, and document the entire incident. The documentation must capture when the failure occurred, the duration of downtime, the root cause, and the remediation steps taken. 'Promptly' means following your defined incident response procedures with measurable timelines. This prevents extended periods where your systems operate without essential security controls.
How to comply
- 1.Identify all critical security functions that protect cardholder data (logging, access controls, encryption, monitoring systems)
- 2.Define 'prompt' response with specific timeframes for failure detection and restoration in your incident response policy
- 3.Implement automated alerts and monitoring to detect when critical security controls fail
- 4.Establish a documented incident response procedure specific to security control failures
- 5.Create a failure documentation template that captures start time, end time, duration, root cause, and remediation steps
- 6.Test your restoration procedures quarterly to ensure team readiness and timely recovery
- 7.Maintain a log of all critical security control failures and resolution times for audit review
- 8.Review failures at least quarterly to identify patterns and prevent recurrence
Evidence auditors look for
- Incident response policy defining response times for critical security control failures
- Monitoring and alerting configuration showing real-time detection of control failures
- Failure documentation records with timestamps showing prompt detection and restoration
- Restoration procedure runbooks for each critical security function
- Test results demonstrating successful restoration of controls within defined timeframes
- Quarterly failure analysis reports identifying root causes and preventive measures
- Change management records showing how restored controls were validated post-failure
Frequently asked questions
When will FAQs be available?
The FAQ for this control is currently being prepared.
GRCWatch automates failure detection and documentation for critical security controls, logs restoration activities with timestamps automatically, and generates audit-ready reports showing your compliance with 10.7.3 response and documentation requirements.
See how GRCWatch handles this control automatically
Start free trial