Home

PCI-DSS NTP — Requirement 10.6
Time-Sync Compliance Guide

v4.0 / v4.0.1 sub-requirements 10.6.1, 10.6.2, 10.6.3 — what your QSA actually checks

Published 12 May 2026 · By Richard DEMONGEOT, RDEM Systems · Target audience: ISMs of in-scope cardholder data environments, QSAs, Internal Security Assessors preparing PCI-DSS v4.0 / v4.0.1 assessments.
On this page

1. Scope: when does 10.6 apply to your CDE?

Requirement 10 of PCI-DSS v4.0 — "Log and monitor all access to system components and cardholder data" — applies to every system component in the cardholder data environment (CDE). Requirement 10.6 is the time-synchronization sub-set. It applies to:

The headline requirement reads:

10.6 Time-synchronization mechanisms support consistent time settings across all systems.

The "support consistent time" wording matters: the QSA looks at outcomes, not at the technology. A CDE with all systems within ±50 ms of a verified external reference passes; a CDE running chrony but with one host at +180 s drift fails — even though "NTP is configured everywhere".

2. 10.6.1 — Synchronization technology in use

10.6.1 — System clocks and time are synchronized using time-synchronization technology.

The implementation answer is virtually always NTP, plus Windows W32Time when configured as an NTP client (Type=NTP). The QSA expects:

Practical commands the QSA runs. Linux: chronyc tracking, chronyc sources, timedatectl status. Windows: w32tm /query /status, w32tm /query /peers. ESXi: ntpq -p. A clean output is part of the evidence; a stale "Last Successful Sync Time" is not.

3. 10.6.2 — Designated time servers and approved sources

10.6.2 — Systems are configured to the correct and consistent time as follows: one or more designated time servers are in use; only the designated central time server(s) receives time from external sources; time received from external sources is based on International Atomic Time (TAI) or Coordinated Universal Time (UTC); the designated time server(s) accept time updates only from specific industry-accepted external sources; where there is more than one designated time server, the time servers peer with one another to keep accurate time; internal systems receive time information only from designated central time server(s).

This sub-requirement is dense. Six checks for the QSA:

#CheckEvidence
1Designated central time server(s) existArchitecture diagram + DNS name/IP of the central server.
2Only the designated server(s) receive external timeFirewall rule allowing UDP/123 egress only from the designated server's IP; chrony.conf on all other systems pointing internally.
3External source is TAI/UTC-basedList of upstream NTP sources documented; all standard sources qualify (TAI/UTC is what NTP carries).
4Only industry-accepted external sourcesApproved-list document; typical: NIST, PTB, Cloudflare NTS, Netnod, INRIM, OP, or a GNSS Stratum 1 operated by a reputable infrastructure provider.
5Multiple designated servers peer with each otherchrony.conf with peer directive (or pool members configured to peer); demonstrated by chronyc sources showing peer entries.
6Internal systems only receive from designatedchrony.conf / w32tm config on a sample of internal hosts; each lists only the designated server(s), no public sources.

What "industry-accepted external sources" actually means

The PCI SSC has not published an exhaustive list. The convention that QSAs apply in 2026:

Accepted (typical). National metrology institutes (NIST, PTB, NPL, INRIM, OP), Stratum 1 servers operated by Cloudflare / Google / Netnod / Apple / a reputable hosting provider, NTS-capable sources (RFC 8915), pool members used downstream of a designated server.
Not accepted (common findings). Random members of pool.ntp.org as the direct source of the designated server (no authentication, no SLA, no audit trail); residential ISP routers; the AWS metadata IP 169.254.169.123 when no documentation links it to a TAI/UTC chain; servers whose operator cannot be identified.

4. 10.6.3 — Protecting settings and data

10.6.3 — Time synchronization settings and data are protected.

This sub-requirement is short but bites in three places:

  1. Filesystem. chrony.conf or ntp.conf owned by root, mode 0640 or stricter, located outside any world-readable share. On Windows, the W32Time registry keys protected by the default ACL plus group-policy enforcement.
  2. Change management. Every modification of the configuration raised as a ticket, peer-reviewed, history retained for at least the assessment window (typically 12 months).
  3. Channel authentication. The designated server's upstream channel must resist tampering. In 2026, NTS (RFC 8915) is the only standardized answer; symmetric keys are accepted if rotation and storage controls are documented (the latter often fails 10.6.3 — keys in clear in the config repo are a classic finding).

5. Reference topology for a 10.6-compliant CDE

The shape most QSAs find immediately defensible:

           ┌─────────────────────────────────────────┐
           │  External (industry-accepted sources)   │
           │  ───────────────────────────────────────  │
           │  • NIST time.nist.gov     (UDP 123)      │
           │  • Cloudflare NTS         (UDP 4460 NTS) │
           │  • Netnod NTS             (UDP 4460 NTS) │
           │  • GNSS Stratum 1 vendor  (UDP 123)      │
           └─────────────────┬───────────────────────┘
                             │ UDP 123 / 4460 egress restricted
                             │ to designated servers only (FW rule)
                             ▼
           ┌─────────────────────────────────────────┐
           │  Designated central time servers         │
           │  ───────────────────────────────────────  │
           │  ntp-cde-a.internal  (chrony 4.x, NTS)   │
           │  ntp-cde-b.internal  (chrony 4.x, NTS)   │
           │  ── peer with each other ──              │
           └─────────────────┬───────────────────────┘
                             │ Internal UDP 123 only
                             │ to ntp-cde-a/b
                             ▼
           ┌─────────────────────────────────────────┐
           │  In-scope CDE systems                    │
           │  ───────────────────────────────────────  │
           │  Payment apps · DBs · Firewalls · SIEM   │
           │  Jump hosts · Bastions · IDS · Auth      │
           └─────────────────────────────────────────┘

Two designated servers (10.6.2 requires multiple), peering with each other, fed only by industry-accepted external sources, with strict firewall containment between layers.

6. Evidence pack for the QSA assessment

Assemble in pci-dss/req-10.6/ before the assessment:

  1. Diagram. The three-tier topology above with actual hostnames and IPs.
  2. Designated server config. chrony.conf of both designated servers, sanitized.
  3. Internal sample. chrony.conf / W32Time export from a representative sample of in-scope systems (databases, application servers, firewalls, jump hosts).
  4. Firewall rules. Export of the egress rules restricting UDP/123 and UDP/4460 (NTS) to designated servers only.
  5. Approved sources document. One page listing each upstream and the rationale for "industry-accepted".
  6. Synchronization status. Output of chronyc tracking and chronyc sources on each designated server, dated within the assessment window.
  7. NTS proof. If using NTS, evidence of certificate validity and rotation procedure.
  8. Change history. Ticketing export covering NTP-config changes in the last 12 months.
  9. Test report. Output of the Online NTP Validator against each external source — stratum, offset, refID — collected within the assessment window.

7. v3.2.1 (legacy 10.4) → v4.0 (10.6) — what changed

PCI-DSS v3.2.1 located the time-synchronization requirement at 10.4 with three sub-requirements. v4.0 renumbered it to 10.6 and tightened the wording:

Aspectv3.2.1 (10.4)v4.0 (10.6)
Numbering10.4 / 10.4.1 / 10.4.2 / 10.4.310.6 / 10.6.1 / 10.6.2 / 10.6.3
External source restrictionImplicitExplicit: "industry-accepted external sources"
PeeringImplicitExplicit: "time servers peer with one another"
Protection of settingsOne sub-requirementTwo distinct angles: ACL + change management
Effective datev4.0 mandatory 31 March 2025

If your v3.2.1 evidence pack is robust, the v4.0 transition is mostly a re-tagging exercise plus a documented "approved sources" list and the explicit peering check.

8. Cross-framework reuse

A 10.6-compliant evidence pack closes time-sync requirements across the major frameworks with no additional artefacts:

RequirementPCI-DSS v4.0ISO 27001:2022NIS 2DORA
Designated/approved sourceReq. 10.6.1, 10.6.2A.8.17Art. 21(2)(c)Art. 11
Authenticated channelReq. 10.6.2 (industry-accepted)A.8.17 (implicit)Art. 21(2)(e)Art. 9(3)
Protected settingsReq. 10.6.3A.8.24 (key mgmt)Art. 21(2)(h)Art. 10
Audit-trail retentionReq. 10.7A.8.15Art. 23Art. 12

Validate your designated servers in 2 minutes

Test each upstream source on your approved-sources list. The validator captures stratum, offset, refID and dual-stack reach — drop the output straight into the QSA evidence folder.

Run the Validator → Full Audit Checklist

Different angle? Use the right tool:

An RDEM Systems publication · Online NTP Validator · NTP Audit Checklist · ISO 27001 8.17 · NIS 2 Requirements · Legal

Privacy