PCI DSS 10.4.1 has the following. Are the following processes implemented for critical systems to have the correct and consistent time: (a) Do only designated central time server(s) receive time signals from external sources, and are time signals from external sources based on International Atomic Time or UTC?   I do not mind having a known official external clock source(s) for a few designated servers. What I do not like is using ntp.pool.org and having all my access points getting time from NTP servers all over the world. It doesn't make sense to me from a security perspective. ... View more

I have this same question.  For PCI DSS compliance network devices need to get their NTP from an internal NTP server, not all over the known world of internet NTP servers.  It is kind of like advertising to any NTP server around the world, HEY! OVER HERE, I have a network to attack!  Provided a malicious actor decided to join the NTP pool, but that would never happen. ... View more