PCI Requirement 12

PCI Requirement 12

Maintain a policy that addresses information security for all personnel

Welcome to PCI Requirement 12, the final requirement listed in the PCI DSS. This requirement is centered around the management of your information security program, which stems from a strong information security policy that sets the tone and expectations for your employees.

This set of videos will help you understand what’s required of your organization to comply with PCI Requirement 12. Click on a video below to get started.

PCI Requirement 12 - Maintain a Policy that Addresses Information Security for All Personnel

PCI Requirement 12 – Maintain a Policy that Addresses Information Security for All Personnel

We’ve finally made it! Here we are at PCI Requirement 12, the last of the PCI requirements. PCI Requirement 12 states, “Maintain a policy that addresses information security for all personnel.”
July 3, 2018/by Randy Bartels
PCI Requirement 12.1 & 12.1.1 – Establish, Publish, Maintain, and Disseminate a Security Policy

PCI Requirement 12.1 & 12.1.1 – Establish, Publish, Maintain, and Disseminate a Security Policy

PCI Requirement 12.1 states, “Establish, publish, maintain, and disseminate a security policy.” Pretty straightforward, right? Guidance on information security policies is the focus of PCI Requirement 12. An organization’s information security policy creates the foundation for implementing security measures to protect valuable assets.
July 3, 2018/by Randy Bartels
PCI Requirement 12.2 – Implement a Risk Assessment Process

PCI Requirement 12.2 – Implement a Risk Assessment Process

Most information security frameworks require a formally documented, annual risk assessment, and the PCI DSS is no different. PCI Requirement 12.2 focuses on risk assessments.
July 3, 2018/by Randy Bartels
PCI Requirement 12.3 – Develop Usage Policies for Critical Technologies and Define Proper Use of These Technologies

PCI Requirement 12.3 – Develop Usage Policies for Critical Technologies and Define Proper Use of These Technologies

In order to prohibit inappropriate use of devices or technology, PCI Requirement 12.3 requires, “Develop usage policies for critical technologies and define proper use of these technologies.”
July 3, 2018/by Randy Bartels
PCI Requirement 12.3.1 – Explicit Approval by Authorized Parties

PCI Requirement 12.3.1 – Explicit Approval by Authorized Parties

Your usage policies, as stated in PCI Requirement 12.3.1, should require explicit approval by authorized parties.
July 3, 2018/by Randy Bartels
PCI Requirement 12.3.2 – Authentication for Use of the Technology

PCI Requirement 12.3.2 – Authentication for Use of the Technology

We learned about authentication methods in PCI Requirement 7, and that ties in here. The more people who have access to cardholder data, the more risk there is. A crucial aspect of usage policies is authentication.
July 3, 2018/by Randy Bartels
PCI Requirement 12.3.3 – A List of All Devices and Personnel with Access

PCI Requirement 12.3.3 – A List of All Devices and Personnel with Access

To create compliant usage policies, your organization must meet PCI Requirement 12.3.3, which requires you to keep a list of all devices and personnel with access.
July 3, 2018/by Randy Bartels
PCI Requirement 12.3.4 – A Method to Accurately and Readily Determine Owner, Contact Information, and Purpose

PCI Requirement 12.3.4 – A Method to Accurately and Readily Determine Owner, Contact Information, and Purpose

Your usage policies should have a method for identifying who an asset-owner is. PCI Requirement 12.3.4 specifically details, “A method to accurately and readily determine owner, contact information, and purpose.”
July 3, 2018/by Randy Bartels
PCI Requirement 12.3.5 – Acceptable Uses of the Technology

PCI Requirement 12.3.5 – Acceptable Uses of the Technology

Your usage policies, as stated in PCI Requirement 12.3.5, should detail acceptable uses of the technology at your organization.
July 3, 2018/by Randy Bartels
PCI Requirement 12.3.6 – Acceptable Network Locations for the Technologies

PCI Requirement 12.3.6 – Acceptable Network Locations for the Technologies

Your usage policies, as stated in PCI Requirement 12.3.6, should detail acceptable network locations for the technology at your organization.
July 3, 2018/by Randy Bartels
PCI Requirement 12.3.7 – List of Company-Approved Products

PCI Requirement 12.3.7 – List of Company-Approved Products

Your usage policies, as stated in PCI Requirement 12.3.7, should include a list of company-approved products. This list will correlate with your acceptable uses of technology policy to create strong and secure usage policies.
July 3, 2018/by Randy Bartels
PCI Requirement 12.3.8 – Automatic Disconnect of Sessions for Remote-Access Technologies After a Specific Period of Inactivity

PCI Requirement 12.3.8 – Automatic Disconnect of Sessions for Remote-Access Technologies After a Specific Period of Inactivity

Remote-access technologies are a constant source of risk for critical resources and cardholder data.
July 3, 2018/by Randy Bartels
PCI Requirement 12.3.9 – Activation of Remote-Access Technologies for Vendors and Business Partners Only When Needed

PCI Requirement 12.3.9 – Activation of Remote-Access Technologies for Vendors and Business Partners Only When Needed

Organizations on the road to PCI compliance must recognize the importance of vendor management.
July 3, 2018/by Randy Bartels
PCI Requirement 12.3.10 – For Personnel Accessing Cardholder Data via Remote-Access Technologies, Prohibit the Copying, Moving, and Storage of Cardholder Data onto Local Hard Drives and Removable Electronic Media

PCI Requirement 12.3.10 – For Personnel Accessing Cardholder Data via Remote-Access Technologies, Prohibit the Copying, Moving, and Storage of Cardholder Data onto Local Hard Drives and Removable Electronic Media

If you have employees who can access your cardholder data environment from remote-access technologies, you must comply with PCI Requirement 12.3.10.
July 3, 2018/by Randy Bartels
PCI Requirement 12.4 – Ensure Security Policies and Procedures Clearly Define Information Security Responsibilities for All Personnel

PCI Requirement 12.4 – Ensure Security Policies and Procedures Clearly Define Information Security Responsibilities for All Personnel

PCI Requirement 12.4 establishes the requirement to ensure that the security policy and procedures clearly define information security responsibilities for all personnel.
July 3, 2018/by Randy Bartels
PCI Requirement 12.4.1 – Additional Requirement for Service Providers Only: Executive Management Shall Establish Responsibility for the Protection of Cardholder Data and a PCI DSS Compliance Program

PCI Requirement 12.4.1 – Additional Requirement for Service Providers Only: Executive Management Shall Establish Responsibility for the Protection of Cardholder Data and a PCI DSS Compliance Program

PCI Requirement 12.4.1 is a sub-requirement of PCI Requirement 12 and applies to service providers only.
July 3, 2018/by Randy Bartels
PCI Requirement 12.5 – Assign to an Individual or Team the Following Information Security Management Responsibilities

PCI Requirement 12.5 – Assign to an Individual or Team the Following Information Security Management Responsibilities

Building a PCI compliance program takes teamwork. PCI Requirement 12.5 recognizes this and requires that you assign an individual or team to the following information security management responsibilities.
July 3, 2018/by Randy Bartels
PCI Requirement 12.5.1 – Establish, Document, and Distribute Security Policies and Procedures

PCI Requirement 12.5.1 – Establish, Document, and Distribute Security Policies and Procedures

Building a PCI compliance program takes teamwork, and according to PCI Requirement 12.5.1, someone must establish, document, and distribute security policies and procedures.
July 3, 2018/by Randy Bartels
PCI Requirement 12.5.2 – Monitor and Analyze Security Alerts and Information, and Distribute to Appropriate Personnel

PCI Requirement 12.5.2 – Monitor and Analyze Security Alerts and Information, and Distribute to Appropriate Personnel

In PCI Requirement 10, we discussed a critical aspect of data protection: logging and tracking. Implementing logging mechanisms at your organization gives you the ability to track user activities, which is crucial in preventing, detecting, and minimizing the consequences of a data breach.
July 3, 2018/by Randy Bartels
PCI Requirement 12.5.3 – Establish, Document, and Distribute Security Incident Response and Escalation Procedures to Ensure Timely and Effective Handling of All Situations

PCI Requirement 12.5.3 – Establish, Document, and Distribute Security Incident Response and Escalation Procedures to Ensure Timely and Effective Handling of All Situations

Incident response plans are crucial to PCI compliance. PCI Requirement 12.5.3 requires that you have an individual assigned to establish, document, and distribute security incident response and escalation procedures to ensure timely and effective handling of all situations.
July 3, 2018/by Randy Bartels
PCI Requirement 12.5.4 – Administer User Accounts, Including Additions, Deletions, and Modifications

PCI Requirement 12.5.4 – Administer User Accounts, Including Additions, Deletions, and Modifications

In PCI Requirement 8.1.2, we learned there must be a formal program of control for additions, deletions, and modifications of user IDs and other credentials.
July 3, 2018/by Randy Bartels
PCI Requirement 12.5.5 – Monitor and Control All Access to Data

PCI Requirement 12.5.5 – Monitor and Control All Access to Data

PCI Requirement 12.5.5 states, “Monitor and control all access to data.” Really, this is the whole point of PCI compliance, isn’t it?
July 3, 2018/by Randy Bartels
PCI Requirement 12.6 – Implement a Formal Security Awareness Program to Make All Personnel Aware of the CHD Data Security Policy and Procedures

PCI Requirement 12.6 – Implement a Formal Security Awareness Program to Make All Personnel Aware of the CHD Data Security Policy and Procedures

PCI Requirement 12.6 requires that your organization implement a formal security awareness program to make all personnel aware of the cardholder data security policy and procedures.
July 3, 2018/by Randy Bartels
PCI Requirement 12.6.1 – Educate Personnel Upon Hire and at Least Annually

PCI Requirement 12.6.1 – Educate Personnel Upon Hire and at Least Annually

As part of your security awareness program, PCI Requirement 12.6.1 asks that you educate personnel upon hire and at least annually.
July 3, 2018/by Randy Bartels
PCI Requirement 12.6.2 – Require Personnel to Acknowledge at Least Annually That They Have Read and Understood the Security Policy and Procedures

PCI Requirement 12.6.2 – Require Personnel to Acknowledge at Least Annually That They Have Read and Understood the Security Policy and Procedures

As part of your security awareness program, PCI Requirement 12.6.2 requires personnel to acknowledge at least annually that they have read and understood the security policy and procedures.
July 3, 2018/by Jenna Kersten
PCI Requirement 12.8 – Maintain and Implement Policies and Procedures to Manage Service Providers with Whom Cardholder Data Is Shared or Could Affect the Security of Cardholder Data

PCI Requirement 12.7 – Screen Potential Personnel Prior to Hire

PCI Requirement 7 impacts your human resources department and hiring process.
July 3, 2018/by Randy Bartels
PCI Requirement 12.8 & 12.8.1 – Maintain and Implement Policies and Procedures to Manage Service Providers with whom Cardholder Data is Shared

PCI Requirement 12.8 & 12.8.1 – Maintain and Implement Policies and Procedures to Manage Service Providers with whom Cardholder Data is Shared

No organization can do everything themselves. Back-up tape storage facilities, web-hosting companies, security service providers – most organizations have some type of relationship with a third-party or vendor.
July 3, 2018/by Randy Bartels
PCI Requirement 12.8.2 – Maintain a Written Agreement that Includes an Acknowledgement that the Service Providers are Responsible for the Security of Cardholder Data

PCI Requirement 12.8.2 – Maintain a Written Agreement that Includes an Acknowledgement that the Service Providers are Responsible for the Security of Cardholder Data

PCI Requirement 12.8.2 focuses on relationships with service providers and asks organizations to maintain a written agreement that includes an acknowledgement that the service providers are responsible for the security of cardholder data the service providers possess or otherwise store, process or transmit on behalf of the customer, or to the extent that they could impact the security of the customer’s cardholder data environment.
July 3, 2018/by Randy Bartels
PCI Requirement 12.8.3 – Ensure there is an Established Process for Engaging Service Providers

PCI Requirement 12.8.3 – Ensure there is an Established Process for Engaging Service Providers

PCI Requirement 12.8.3 asks organizations to ensure there is an established process for engaging service providers including proper due diligence prior to engagement.
July 3, 2018/by Randy Bartels
PCI Requirement 12.8.4 and 12.8.5 – Maintain a Program to Monitor Service Providers’ PCI DSS Compliance Status

PCI Requirement 12.8.4 and 12.8.5 – Maintain a Program to Monitor Service Providers’ PCI DSS Compliance Status

PCI Requirement 12.8.4 requires that your organization maintain a program to monitor service providers’ PCI DSS compliance status at least annually.
July 3, 2018/by Randy Bartels
PCI Requirement 12.9 – Additional Requirement for Service Providers Only: Service Providers Acknowledge in Writing to Customers That They are Responsible for the Security of Cardholder Data

PCI Requirement 12.9 – Additional Requirement for Service Providers Only: Service Providers Acknowledge in Writing to Customers That They are Responsible for the Security of Cardholder Data

If you are a service provider, you must comply with PCI Requirement 12.9, which states, “Service providers acknowledge in writing to customers that they are responsible for the security of cardholder data the service provider possesses or otherwise stores, processes, or transmits on behalf of the customer, or to the extent that they could impact the security of the customer’s cardholder data environment.”
July 3, 2018/by Randy Bartels
PCI Requirement 12.10 – Implement an Incident Response Plan

PCI Requirement 12.10 – Implement an Incident Response Plan

PCI Requirement 12.10 requires organizations to implement an incident response plan and be prepared to respond immediately to a system breach.
July 3, 2018/by Randy Bartels
PCI Requirement 12.10.1 – Create the Incident Response Plan to Be Implemented in the Event of System Breach

PCI Requirement 12.10.1 – Create the Incident Response Plan to Be Implemented in the Event of System Breach


Elements of Your Incident Response Plan
To develop a thorough…
July 3, 2018/by Randy Bartels
PCI Requirement 12.10.2 – Review and Test the Plan at Least Annually

PCI Requirement 12.10.2 – Review and Test the Plan at Least Annually

You must test your incident response plan. What’s the point of the plan if you aren’t sure that it works? Without appropriate testing, major steps or gaps could be missed, which could result in increased exposure during a real incident.
July 3, 2018/by Randy Bartels
PCI Requirement 12.10.3 – Designate Specific Personnel to Be Available on a 24/7 Basis

PCI Requirement 12.10.3 – Designate Specific Personnel to Be Available on a 24/7 Basis

Even if you’re a small organization, PCI Requirement 12.10.3 requires that you designate specific personnel to be available on a 24/7 basis to respond to alerts.
July 3, 2018/by Randy Bartels
PCI Requirement 12.10.4 – Provide Appropriate Training to Staff with Security Breach Responsibilities

PCI Requirement 12.10.4 – Provide Appropriate Training to Staff with Security Breach Responsibilities

PCI Requirement 12.10.4 requires that your organization provides appropriate training to staff with security breach response responsibilities.
July 3, 2018/by Randy Bartels
PCI Requirement 12.10.5 – Include Alerts from Security Monitoring Systems, Including but Not Limited to Intrusion-Detection, Intrusion-Prevention, Firewalls, and File-Integrity Monitoring Systems

PCI Requirement 12.10.5 – Include Alerts from Security Monitoring Systems, Including but Not Limited to Intrusion-Detection, Intrusion-Prevention, Firewalls, and File-Integrity Monitoring Systems

PCI Requirement 12.10.5 states that your incident response plan should, “Include alerts from security monitoring systems, including but not limited to intrusion-detection, intrusion-prevention, firewalls, and file-integrity monitoring systems.”
July 3, 2018/by Randy Bartels
PCI Requirement 12.10.6 – Develop a Process to Modify and Evolve the Incident Response Plan According to Lessons Learned and to Incorporate Industry Developments

PCI Requirement 12.10.6 – Develop a Process to Modify and Evolve the Incident Response Plan According to Lessons Learned and to Incorporate Industry Developments

Your incident response plan should be able to easily modify so it can be as thorough and up-to-date as possible.
July 3, 2018/by Randy Bartels
PCI Requirement 12.11 – Additional Requirement for Service Providers Only: Perform Reviews at Least Quarterly to Confirm Personnel Are Following Security Policies and Operational Procedures

PCI Requirement 12.11 – Additional Requirement for Service Providers Only: Perform Reviews at Least Quarterly to Confirm Personnel Are Following Security Policies and Operational Procedures

If you are a service provider, your organization must comply with PCI Requirement 12.11. It requires that you perform reviews at least quarterly to confirm personnel are following security policies and operational procedures.
July 3, 2018/by Randy Bartels
PCI Requirement 12.11.1 – Additional Requirement for Service Providers Only: Maintain Documentation of Quarterly Review Process

PCI Requirement 12.11.1 – Additional Requirement for Service Providers Only: Maintain Documentation of Quarterly Review Process

The final requirement in PCI Requirement 12 works in conjunction with PCI Requirement 12.11.
July 3, 2018/by Randy Bartels