I just did a PCI compliance test on a droplet. The server itself passed with flying colors (had basic SSH secured, firewall, etc)
Where it did not pass is the loads of documentation they now require. This must be something new because I have passed every year until now.
*Are written policies and procedures defined for reviewing the
following at least daily, either manually or via log tools?
All security events
Logs of all system components that store, process, or
transmit CHD and/or SAD, or that could impact the security
of CHD and/or SAD
Logs of all critical system components
Logs of all servers and system components that perform
security functions (for example, firewalls, intrusion-detection
systems/intrusion-prevention systems (IDS/IPS),
authentication servers, e-commerce redirection servers, etc.)
The amount of documentation required is a bit overwhelming. In the end, the company decided to just stop storing CC numbers rather than pay me to do all the documenting.