PCI DSS compliance

10.4 Time-synchronization technology

10.4.1.a Correct distribution of time data

Proper time synchronization relies on a few factors, like properly acquire the time from trustworthy sources. Those sources could be a reliable internal time station, or external time services. PCI DSS specifically states that time information should be in International Atomic Time, or UTC. This is for most time synchronization services this is already a default, like the NTP daemon on Linux or other UNIX-based platforms. More importantly is how it is configured, and that enough sources are used to ensure time is always synchronized. For example, unreliable sources and false-tickers could result in NTP to stop working.

10.4 Standards and Processes

Section 10.4 has the focus on time synchronization. It is important for a good functioning system. Misconfigured time synchronization or unexpected time differences could affect several requirements of the PCI DSS standard. This is in particular true for requirement 6, related to logging. Other areas which might affect the system are Kerberos, data synchronization, and forensics.