Tone from the Top

PCI Requirement 12.4.1 is a sub-requirement of PCI Requirement 12 and applies to service providers only. It requires that executive management shall establish responsibility for the protection of cardholder data and a PCI DSS compliance program, which includes overall accountability for maintaining PCI compliance and defining a charter for a PCI DSS compliance program and communication to executive management.

PCI Requirement 12.4.1 is vital for a “tone from the top” attitude. The PCI DSS guidance says, “Executive management assignment of PCI DSS compliance responsibilities ensures executive-level visibility into the PCI DSS compliance program and allows for the opportunity to ask appropriate questions to determine the effectiveness of the program and influence strategic priorities.” Executive management could include your board of directors, C-level positions, investors, or other stakeholders.

To verify compliance with PCI Requirement 12.4.1, an assessor will examine documentation to see that executive management has some accountability assignment and review the PCI charter.

PCI Requirement 12.4.1 requires that service providers define and appoint somebody within your organization the overall responsibility for managing the security of the PCI DSS. What we’re looking for is that you have a formal charter that defines what that looks like. We’re looking for the actual individual to interview them and to talk to them about the charter and how they go about managing those responsibilities for PCI DSS.

We know that PCI DSS compliance can be intimidating, so we’ve provided this PCI DSS charter document template to help you comply with PCI Requirement 12.4.1.

PCI DSS Charter Document Template

Purpose:

The purpose of this charter is to establish the policies and procedures for complying with the Payment Card Industry Data Security Standard (PCI DSS). This charter defines the roles and responsibilities of employees and management in maintaining the confidentiality, integrity, and availability of cardholder data.

Scope:

This charter applies to all employees, contractors, and vendors who handle or have access to cardholder data in the organization’s systems or network. The scope of the PCI DSS compliance program covers all payment channels, including point-of-sale (POS), e-commerce, and mail order/telephone order (MOTO).

Roles and Responsibilities:

The following roles and responsibilities are defined for PCI DSS compliance:

• Executive Sponsor: The executive sponsor is responsible for providing the necessary resources and support for the PCI DSS compliance program. The executive sponsor is also responsible for ensuring that the compliance program aligns with the organization’s overall security strategy and objectives.
• Compliance Officer: The compliance officer is responsible for overseeing the PCI DSS compliance program, including managing the compliance project, conducting risk assessments, developing policies and procedures, and coordinating with internal and external auditors.
• Security Officer: The security officer is responsible for ensuring the security of the organization’s systems and network, including implementing and maintaining technical security controls to protect cardholder data.
• IT Operations: The IT operations team is responsible for implementing and maintaining the organization’s systems and network, including applying security patches and updates, monitoring systems for security incidents, and ensuring the availability of systems and network.
• Business Units: Business units are responsible for ensuring that the systems and processes they use for handling cardholder data are compliant with the PCI DSS requirements.

PCI DSS Compliance Program:

The PCI DSS compliance program consists of the following elements:

• Risk Assessment: The organization will conduct a risk assessment to identify the risks to cardholder data and the systems and processes that handle cardholder data.
• Policies and Procedures: The organization will develop and implement policies and procedures that comply with the PCI DSS requirements.
• Technical Controls: The organization will implement and maintain technical security controls to protect cardholder data, including firewalls, encryption, and access controls.
• Security Monitoring: The organization will monitor its systems and network for security incidents and take appropriate action to address any security issues that arise.
• Training and Awareness: The organization will provide training and awareness programs to employees, contractors, and vendors who handle cardholder data to ensure they understand their roles and responsibilities for protecting cardholder data.

Compliance Reporting:

The compliance officer will provide regular reports to executive management on the status of the PCI DSS compliance program, including the results of the risk assessment, progress in implementing policies and procedures, and any security incidents that occur.

Conclusion:

This PCI DSS charter document outlines the organization’s approach to achieving and maintaining compliance with the PCI DSS requirements. By following this charter, the organization can protect the confidentiality, integrity, and availability of cardholder data and ensure the trust of its customers and partners.

Still have questions about PCI DSS?

Do you still have questions about PCI Requirement 12.4.1, charter documentation, or just PCI DSS in general? We’ve got you covered. Here at KirkpatrickPrice, we want to partner with you for all of your PCI needs.

Connect with one of our experts today to start working toward your compliance goals.

Security Responsibilities

PCI Requirement 12.4 establishes the requirement to ensure that the security policy and procedures clearly define information security responsibilities for all personnel. Anyone with access to cardholder data will have some level of security responsibility, and they must be aware of that.

The PCI DSS guidance explains, “Without clearly defined security roles and responsibilities assigned, there could be inconsistent interaction with the security group, leading to unsecured implementation of technologies or use of outdated or unsecured technologies.”

To verify compliance with PCI Requirement 12.4, assessors will take a sample of personnel to interview about security policies and be sure they understand their level of security responsibility.

PCI Requirement 12.4 establishes the requirement to define security policies and procedures for all individuals. I want to emphasize the “all.” Anybody within your environment that has skin in the game around access to cardholder data will have some merit of security responsibilities that they need to tend to. PCI Requirement 12.4 calls out the need to establish those policies and procedures.

Employees with Remote-Access

If you have employees who can access your cardholder data environment from remote-access technologies, you must comply with PCI Requirement 12.3.10. It states, “For personnel accessing cardholder data via remote-access technologies, prohibit the copying, moving, and storage of cardholder data onto local hard drives and removable electronic media, unless explicitly authorized for a defined business need. Where there is an authorized business need, the usage policies must require the data be protected in accordance with all applicable PCI DSS Requirements.”

Consider all employees who work from home; chances are, home networks and environments are not going to be as secure as your cardholder data environment, so cardholder data should never be moved, unless there is a specific business need for it. You must have some policy for prohibiting the copying, moving, and storage of cardholder data into local environments.

The PCI DSS further explains, “To ensure all personnel are aware of their responsibilities to not store or copy cardholder data onto their local personal computers or other media, your policy should clearly prohibit such activities except for personnel that have been explicitly authorized to do so.” Including PCI Requirement 12.3.10 in your usage policies will protect your environment from employees taking cardholder data into unsecure environments.

If you have employees that come in from remote that could access your cardholder data environment, PCI Requirement 12.3.10 requires that you have a process and program in place that would prohibit them from moving, copying, and/or storing cardholder data into their local environment when connected from remote. Think about this: Johnny connects from home and transfers a database down to his environment to work on it. Chances are that his home environment is not as secured as your cardholder data environment. The PCI DSS is looking to establish this as a requirement. There is some leniency here, though. While it is generally prohibited, if you have a business need to support your environment, or your organization needs to do that to support your environment, it’s okay. However, management needs to be aware of that and then apply the appropriate controls.

Vendor Management in Usage Policies

Organizations on the road to PCI compliance must recognize the importance of vendor management. Your usage policies should include a vendor management aspect, outlined by PCI Requirement 12.3.9, “Activation of remote-access technologies for vendors and business partners only when needed by vendors and business partners, with immediate deactivation after use.”

Wherever you have vendors and business partners come into your environment, we’re going to look to ensure that your usage policies stipulate that remote-access technologies are only enabled when absolutely required to support your business. All other times, those accounts should be disabled, and nobody should be able to access them unless they’re approved by management.

Where you have a vendor or a business partner that might come into your environment to support you for one reason or another, we’re going to look to ensure that you have policies, procedures, and controls to make sure that those user accounts are only enabled when absolutely required to support your business. All other times, those accounts should be disabled, and nobody should be able to access them unless they’re approved by management to be opened for your vendors or business partners to come in to support you.

Automatic Disconnect in Your Usage Policies

Remote-access technologies are a constant source of risk for critical resources and cardholder data. This is why PCI Requirement 12.3.8 requires that your usage policies include, “Automatic disconnect of sessions for remote-access technologies after a specific period of inactivity.”

In PCI Requirement 8.1.8, we gave you this scenario: A user walks away from an open machine that has access to critical system components and/or cardholder data. That machine is then used by a malicious individual in the user’s absence, resulting in unauthorized account access and/or misuse. How can PCI Requirement 12.3.8 help prevent a scenario like this? By including an automatic disconnect rule for remote-access technologies in your usage policies, you can minimize the risk of malicious access.

To verify compliance with PCI Requirement 12.3.8, an assessor will need to examine your usage policies to ensure that they require automatic disconnect of sessions for remote-access technologies after a specific period of inactivity, or they will examine configurations for remote-access technologies.

PCI Requirement 12.3.8 stipulates that you have an automatic disconnect of the sessions after a defined period of time. Back in PCI Requirement 8, we talked about having a 15-minute session timeout, but in PCI Requirement 12.3.8, you’re establishing the policy around that particular requirement.