PCI Requirement 10.4.3 – Time Settings Are Received from Industry-Accepted Time Sources

by Randy Bartels / May 1st, 2018

Industry-Accepted Time Sources

To ensure that critical system clocks and time are consistent and correct, PCI Requirement 10.4.3 requires that time settings are received from industry-accepted time sources. This could be from something like the U.S. Navy, NASA, Google, or other organizations who use GPS for time synchronizations.

The testing procedures for PCI Requirement 10.4.3 requires assessors to examine systems configurations to verify that the time servers accept time updates from specific, industry-accepted sources. The PCI DSS also states, “Optionally, those updates can be encrypted with a symmetric key, and access control lists can be created that specify the IP addresses of client machines that will be provided with the time updates (to prevent unauthorized use of internal time servers).”

PCI Requirement 10.4.3 requires that you use industry accepted time servers for management. Part of this, for example, are the the U.S. Navy NTP servers, NASA servers, and Google servers, as well as other organizations who use GPS for time syncs. It’s not really defined what those particular entities are, as long as those time servers and time syncs that you are using are industry accepted.