PCI DSS 12.4.2.1: Documenting Quarterly Reviews for Service Providers
As a service provider, PCI DSS 12.4.2.1 mandates that you document and retain evidence of quarterly reviews for at least 12 months. This control ensures consistent oversight of your security posture and demonstrates accountability to your customers and auditors.
What this means
This service provider-specific requirement builds on Requirement 12.4.2 by adding a documentation and retention mandate. You must create written records of each quarterly review—including dates, findings, and actions taken—and maintain these records for a minimum of 12 months. This establishes an auditable trail of your compliance efforts and security management practices.
How to comply
- 1.Schedule quarterly reviews on a fixed calendar (e.g., January, April, July, October) to ensure consistency
- 2.Document the scope of each review, including systems, processes, and personnel assessed
- 3.Record review dates, participants, and methodologies used to evaluate compliance
- 4.Capture findings, identified gaps, and remediation actions in writing
- 5.Obtain sign-off or approval from authorized personnel for each review
- 6.Store documentation in a centralized, secure location with controlled access
- 7.Implement a retention policy that preserves records for the full 12-month period minimum
- 8.Verify retention compliance during internal audits and vendor assessments
Evidence auditors look for
- Quarterly review meeting minutes with attendance, agenda, and discussion outcomes
- Assessment checklists or templates completed during each review cycle
- Risk registers or findings logs documenting discovered issues and remediation timelines
- Sign-off sheets or approval records from management confirming review completion
- Incident or control failure logs tied to specific review periods
- Remediation status reports showing actions taken between reviews
- Audit reports or third-party assessments conducted quarterly
- Email confirmations or project tracking records linking reviews to corrective actions
Frequently asked questions
When will FAQs be available?
The FAQ for this control is currently being prepared.
GRCWatch automates quarterly review scheduling, collects evidence submissions from your team, and maintains a 12-month rolling retention vault—so you never miss a deadline and always have proof of compliance ready for audits.
See how GRCWatch handles this control automatically
Start free trial