PCI Requirement 12

PCI Requirement 12

Maintain a policy that addresses information security for all personnel

Welcome to PCI Requirement 12, the final requirement listed in the PCI DSS. This requirement is centered around the management of your information security program, which stems from a strong information security policy that sets the tone and expectations for your employees.

This set of videos will help you understand what’s required of your organization to comply with PCI Requirement 12. Click on a video below to get started.

PCI Requirement 12 - Maintain a Policy that Addresses Information Security for All Personnel

PCI Requirement 12 – Maintain a Policy that Addresses Information Security for All Personnel

We’ve finally made it! Here we are at PCI Requirement 12, the last of the PCI requirements. PCI Requirement 12 states, “Maintain a policy that addresses information security for all personnel.”
July 3, 2018/by Jeff Wilder
PCI Requirement 12.1 & 12.1.1 – Establish, Publish, Maintain, and Disseminate a Security Policy

PCI Requirement 12.1 & 12.1.1 – Establish, Publish, Maintain, and Disseminate a Security Policy

PCI Requirement 12.1 states, “Establish, publish, maintain, and disseminate a security policy.” Pretty straightforward, right? Guidance on information security policies is the focus of PCI Requirement 12. An organization’s information security policy creates the foundation for implementing security measures to protect valuable assets.
July 3, 2018/by Jeff Wilder
PCI Requirement 12.2 – Implement a Risk Assessment Process

PCI Requirement 12.2 – Implement a Risk Assessment Process

Most information security frameworks require a formally documented, annual risk assessment, and the PCI DSS is no different. PCI Requirement 12.2 focuses on risk assessments.
July 3, 2018/by Jeff Wilder
PCI Requirement 12.3 – Develop Usage Policies for Critical Technologies and Define Proper Use of These Technologies

PCI Requirement 12.3 – Develop Usage Policies for Critical Technologies and Define Proper Use of These Technologies

In order to prohibit inappropriate use of devices or technology, PCI Requirement 12.3 requires, “Develop usage policies for critical technologies and define proper use of these technologies.”
July 3, 2018/by Jeff Wilder
PCI Requirement 12.3.1 – Explicit Approval by Authorized Parties

PCI Requirement 12.3.1 – Explicit Approval by Authorized Parties

Your usage policies, as stated in PCI Requirement 12.3.1, should require explicit approval by authorized parties.
July 3, 2018/by Jeff Wilder
PCI Requirement 12.3.2 – Authentication for Use of the Technology

PCI Requirement 12.3.2 – Authentication for Use of the Technology

We learned about authentication methods in PCI Requirement 7, and that ties in here. The more people who have access to cardholder data, the more risk there is. A crucial aspect of usage policies is authentication.
July 3, 2018/by Jeff Wilder
PCI Requirement 12.3.3 – A List of All Devices and Personnel with Access

PCI Requirement 12.3.3 – A List of All Devices and Personnel with Access

To create compliant usage policies, your organization must meet PCI Requirement 12.3.3, which requires you to keep a list of all devices and personnel with access.
July 3, 2018/by Jeff Wilder
PCI Requirement 12.3.4 – A Method to Accurately and Readily Determine Owner, Contact Information, and Purpose

PCI Requirement 12.3.4 – A Method to Accurately and Readily Determine Owner, Contact Information, and Purpose

Your usage policies should have a method for identifying who an asset-owner is. PCI Requirement 12.3.4 specifically details, “A method to accurately and readily determine owner, contact information, and purpose.”
July 3, 2018/by Jeff Wilder
PCI Requirement 12.3.5 – Acceptable Uses of the Technology

PCI Requirement 12.3.5 – Acceptable Uses of the Technology

Your usage policies, as stated in PCI Requirement 12.3.5, should detail acceptable uses of the technology at your organization.
July 3, 2018/by Jeff Wilder
PCI Requirement 12.3.6 – Acceptable Network Locations for the Technologies

PCI Requirement 12.3.6 – Acceptable Network Locations for the Technologies

Your usage policies, as stated in PCI Requirement 12.3.6, should detail acceptable network locations for the technology at your organization.
July 3, 2018/by Jeff Wilder
PCI Requirement 12.3.7 – List of Company-Approved Products

PCI Requirement 12.3.7 – List of Company-Approved Products

Your usage policies, as stated in PCI Requirement 12.3.7, should include a list of company-approved products. This list will correlate with your acceptable uses of technology policy to create strong and secure usage policies.
July 3, 2018/by Jeff Wilder
PCI Requirement 12.3.8 – Automatic Disconnect of Sessions for Remote-Access Technologies After a Specific Period of Inactivity

PCI Requirement 12.3.8 – Automatic Disconnect of Sessions for Remote-Access Technologies After a Specific Period of Inactivity

Remote-access technologies are a constant source of risk for critical resources and cardholder data.
July 3, 2018/by Jeff Wilder
PCI Requirement 12.3.9 – Activation of Remote-Access Technologies for Vendors and Business Partners Only When Needed

PCI Requirement 12.3.9 – Activation of Remote-Access Technologies for Vendors and Business Partners Only When Needed

Organizations on the road to PCI compliance must recognize the importance of vendor management.
July 3, 2018/by Jeff Wilder
PCI Requirement 12.3.10 – For Personnel Accessing Cardholder Data via Remote-Access Technologies, Prohibit the Copying, Moving, and Storage of Cardholder Data onto Local Hard Drives and Removable Electronic Media

PCI Requirement 12.3.10 – For Personnel Accessing Cardholder Data via Remote-Access Technologies, Prohibit the Copying, Moving, and Storage of Cardholder Data onto Local Hard Drives and Removable Electronic Media

If you have employees who can access your cardholder data environment from remote-access technologies, you must comply with PCI Requirement 12.3.10.
July 3, 2018/by Jeff Wilder
PCI Requirement 12.4 – Ensure Security Policies and Procedures Clearly Define Information Security Responsibilities for All Personnel

PCI Requirement 12.4 – Ensure Security Policies and Procedures Clearly Define Information Security Responsibilities for All Personnel

PCI Requirement 12.4 establishes the requirement to ensure that the security policy and procedures clearly define information security responsibilities for all personnel.
July 3, 2018/by Jeff Wilder
PCI Requirement 12.4.1 – Additional Requirement for Service Providers Only: Executive Management Shall Establish Responsibility for the Protection of Cardholder Data and a PCI DSS Compliance Program

PCI Requirement 12.4.1 – Additional Requirement for Service Providers Only: Executive Management Shall Establish Responsibility for the Protection of Cardholder Data and a PCI DSS Compliance Program

PCI Requirement 12.4.1 is a sub-requirement of PCI Requirement 12 and applies to service providers only.
July 3, 2018/by Jeff Wilder
PCI Requirement 12.5 – Assign to an Individual or Team the Following Information Security Management Responsibilities

PCI Requirement 12.5 – Assign to an Individual or Team the Following Information Security Management Responsibilities

Building a PCI compliance program takes teamwork. PCI Requirement 12.5 recognizes this and requires that you assign an individual or team to the following information security management responsibilities.
July 3, 2018/by Jeff Wilder
PCI Requirement 12.5.1 – Establish, Document, and Distribute Security Policies and Procedures

PCI Requirement 12.5.1 – Establish, Document, and Distribute Security Policies and Procedures

Building a PCI compliance program takes teamwork, and according to PCI Requirement 12.5.1, someone must establish, document, and distribute security policies and procedures.
July 3, 2018/by Jeff Wilder
PCI Requirement 12.5.2 – Monitor and Analyze Security Alerts and Information, and Distribute to Appropriate Personnel

PCI Requirement 12.5.2 – Monitor and Analyze Security Alerts and Information, and Distribute to Appropriate Personnel

In PCI Requirement 10, we discussed a critical aspect of data protection: logging and tracking. Implementing logging mechanisms at your organization gives you the ability to track user activities, which is crucial in preventing, detecting, and minimizing the consequences of a data breach.
July 3, 2018/by Jeff Wilder
PCI Requirement 12.5.3 – Establish, Document, and Distribute Security Incident Response and Escalation Procedures to Ensure Timely and Effective Handling of All Situations

PCI Requirement 12.5.3 – Establish, Document, and Distribute Security Incident Response and Escalation Procedures to Ensure Timely and Effective Handling of All Situations

Incident response plans are crucial to PCI compliance. PCI Requirement 12.5.3 requires that you have an individual assigned to establish, document, and distribute security incident response and escalation procedures to ensure timely and effective handling of all situations.
July 3, 2018/by Jeff Wilder
PCI Requirement 12.5.4 – Administer User Accounts, Including Additions, Deletions, and Modifications

PCI Requirement 12.5.4 – Administer User Accounts, Including Additions, Deletions, and Modifications

In PCI Requirement 8.1.2, we learned there must be a formal program of control for additions, deletions, and modifications of user IDs and other credentials.
July 3, 2018/by Jeff Wilder
PCI Requirement 12.5.5 – Monitor and Control All Access to Data

PCI Requirement 12.5.5 – Monitor and Control All Access to Data

PCI Requirement 12.5.5 states, “Monitor and control all access to data.” Really, this is the whole point of PCI compliance, isn’t it?
July 3, 2018/by Jeff Wilder
PCI Requirement 12.6 – Implement a Formal Security Awareness Program to Make All Personnel Aware of the CHD Data Security Policy and Procedures

PCI Requirement 12.6 – Implement a Formal Security Awareness Program to Make All Personnel Aware of the CHD Data Security Policy and Procedures

PCI Requirement 12.6 requires that your organization implement a formal security awareness program to make all personnel aware of the cardholder data security policy and procedures.
July 3, 2018/by Jeff Wilder
PCI Requirement 12.6.1 – Educate Personnel Upon Hire and at Least Annually

PCI Requirement 12.6.1 – Educate Personnel Upon Hire and at Least Annually

As part of your security awareness program, PCI Requirement 12.6.1 asks that you educate personnel upon hire and at least annually.
July 3, 2018/by Jeff Wilder
PCI Requirement 12.6.2 – Require Personnel to Acknowledge at Least Annually That They Have Read and Understood the Security Policy and Procedures

PCI Requirement 12.6.2 – Require Personnel to Acknowledge at Least Annually That They Have Read and Understood the Security Policy and Procedures

As part of your security awareness program, PCI Requirement 12.6.2 requires personnel to acknowledge at least annually that they have read and understood the security policy and procedures.
July 3, 2018/by Jenna Kersten
PCI Requirement 12.8 – Maintain and Implement Policies and Procedures to Manage Service Providers with Whom Cardholder Data Is Shared or Could Affect the Security of Cardholder Data

PCI Requirement 12.7 – Screen Potential Personnel Prior to Hire

PCI Requirement 7 impacts your human resources department and hiring process.
July 3, 2018/by Jeff Wilder
PCI Requirement 12.8 & 12.8.1 – Maintain and Implement Policies and Procedures to Manage Service Providers with whom Cardholder Data is Shared

PCI Requirement 12.8 & 12.8.1 – Maintain and Implement Policies and Procedures to Manage Service Providers with whom Cardholder Data is Shared

No organization can do everything themselves. Back-up tape storage facilities, web-hosting companies, security service providers – most organizations have some type of relationship with a third-party or vendor.
July 3, 2018/by Jeff Wilder
PCI Requirement 12.8.2 – Maintain a Written Agreement that Includes an Acknowledgement that the Service Providers are Responsible for the Security of Cardholder Data

PCI Requirement 12.8.2 – Maintain a Written Agreement that Includes an Acknowledgement that the Service Providers are Responsible for the Security of Cardholder Data

PCI Requirement 12.8.2 focuses on relationships with service providers and asks organizations to maintain a written agreement that includes an acknowledgement that the service providers are responsible for the security of cardholder data the service providers possess or otherwise store, process or transmit on behalf of the customer, or to the extent that they could impact the security of the customer’s cardholder data environment.
July 3, 2018/by Jeff Wilder
PCI Requirement 12.8.3 – Ensure there is an Established Process for Engaging Service Providers

PCI Requirement 12.8.3 – Ensure there is an Established Process for Engaging Service Providers

PCI Requirement 12.8.3 asks organizations to ensure there is an established process for engaging service providers including proper due diligence prior to engagement.
July 3, 2018/by Jeff Wilder
PCI Requirement 12.8.4 and 12.8.5 – Maintain a Program to Monitor Service Providers’ PCI DSS Compliance Status

PCI Requirement 12.8.4 and 12.8.5 – Maintain a Program to Monitor Service Providers’ PCI DSS Compliance Status

PCI Requirement 12.8.4 requires that your organization maintain a program to monitor service providers’ PCI DSS compliance status at least annually.
July 3, 2018/by Jeff Wilder
PCI Requirement 12.9 – Additional Requirement for Service Providers Only: Service Providers Acknowledge in Writing to Customers That They are Responsible for the Security of Cardholder Data

PCI Requirement 12.9 – Additional Requirement for Service Providers Only: Service Providers Acknowledge in Writing to Customers That They are Responsible for the Security of Cardholder Data

If you are a service provider, you must comply with PCI Requirement 12.9, which states, “Service providers acknowledge in writing to customers that they are responsible for the security of cardholder data the service provider possesses or otherwise stores, processes, or transmits on behalf of the customer, or to the extent that they could impact the security of the customer’s cardholder data environment.”
July 3, 2018/by Jeff Wilder
PCI Requirement 12.10 – Implement an Incident Response Plan

PCI Requirement 12.10 – Implement an Incident Response Plan

PCI Requirement 12.10 requires organizations to implement an incident response plan and be prepared to respond immediately to a system breach.
July 3, 2018/by Jeff Wilder
PCI Requirement 12.10.1 – Create the Incident Response Plan to Be Implemented in the Event of System Breach

PCI Requirement 12.10.1 – Create the Incident Response Plan to Be Implemented in the Event of System Breach


Elements of Your Incident Response Plan
To develop a thorough…
July 3, 2018/by Jeff Wilder
PCI Requirement 12.10.2 – Review and Test the Plan at Least Annually

PCI Requirement 12.10.2 – Review and Test the Plan at Least Annually

You must test your incident response plan. What’s the point of the plan if you aren’t sure that it works? Without appropriate testing, major steps or gaps could be missed, which could result in increased exposure during a real incident.
July 3, 2018/by Jeff Wilder
PCI Requirement 12.10.3 – Designate Specific Personnel to Be Available on a 24/7 Basis

PCI Requirement 12.10.3 – Designate Specific Personnel to Be Available on a 24/7 Basis

Even if you’re a small organization, PCI Requirement 12.10.3 requires that you designate specific personnel to be available on a 24/7 basis to respond to alerts.
July 3, 2018/by Jeff Wilder
PCI Requirement 12.10.4 – Provide Appropriate Training to Staff with Security Breach Responsibilities

PCI Requirement 12.10.4 – Provide Appropriate Training to Staff with Security Breach Responsibilities

PCI Requirement 12.10.4 requires that your organization provides appropriate training to staff with security breach response responsibilities.
July 3, 2018/by Jeff Wilder
PCI Requirement 12.10.5 – Include Alerts from Security Monitoring Systems, Including but Not Limited to Intrusion-Detection, Intrusion-Prevention, Firewalls, and File-Integrity Monitoring Systems

PCI Requirement 12.10.5 – Include Alerts from Security Monitoring Systems, Including but Not Limited to Intrusion-Detection, Intrusion-Prevention, Firewalls, and File-Integrity Monitoring Systems

PCI Requirement 12.10.5 states that your incident response plan should, “Include alerts from security monitoring systems, including but not limited to intrusion-detection, intrusion-prevention, firewalls, and file-integrity monitoring systems.”
July 3, 2018/by Jeff Wilder
PCI Requirement 12.10.6 – Develop a Process to Modify and Evolve the Incident Response Plan According to Lessons Learned and to Incorporate Industry Developments

PCI Requirement 12.10.6 – Develop a Process to Modify and Evolve the Incident Response Plan According to Lessons Learned and to Incorporate Industry Developments

Your incident response plan should be able to easily modify so it can be as thorough and up-to-date as possible.
July 3, 2018/by Jeff Wilder
PCI Requirement 12.11 – Additional Requirement for Service Providers Only: Perform Reviews at Least Quarterly to Confirm Personnel Are Following Security Policies and Operational Procedures

PCI Requirement 12.11 – Additional Requirement for Service Providers Only: Perform Reviews at Least Quarterly to Confirm Personnel Are Following Security Policies and Operational Procedures

If you are a service provider, your organization must comply with PCI Requirement 12.11. It requires that you perform reviews at least quarterly to confirm personnel are following security policies and operational procedures.
July 3, 2018/by Jeff Wilder
PCI Requirement 12.11.1 – Additional Requirement for Service Providers Only: Maintain Documentation of Quarterly Review Process

PCI Requirement 12.11.1 – Additional Requirement for Service Providers Only: Maintain Documentation of Quarterly Review Process

The final requirement in PCI Requirement 12 works in conjunction with PCI Requirement 12.11.
July 3, 2018/by Jeff Wilder