PCI Requirement 12.8 & 12.8.1 ā€“ Maintain and Implement Policies and Procedures to Manage Service Providers with whom Cardholder Data is Shared

by Randy Bartels / April 5, 2023

ļ»æ Service Providers with Access to Cardholder Data No organization can do everything themselves. Back-up tape storage facilities, web-hosting companies, security service providers ā€“ most organizations have some type of relationship with a third-party or vendor. Thatā€™s why PCI Requirement 12.8 focuses on vendor management and asks organizations to maintain and implement policies and procedures to manage service providers with whom cardholder data is shared, or that could affect the…

PCI Requirement 12.7 ā€“ Screen Potential Personnel Prior to Hire

by Randy Bartels / April 5, 2023

Screening Candidates PCI Requirement 12.7 impacts your human resources department and hiring process. We've focused so much on external risks, but PCI Requirement 12.7 asks organizations to screen potential personnel prior to hire to minimize the risk of attacks from internal sources. Background checks could include previous employment history, criminal record, credit history, and reference checks. Background checks are a common aspect of hiring processes, but itā€™s a requirement of…

PCI Requirement 12.6.1 ā€“ Educate Personnel Upon Hire and at Least Annually

by Randy Bartels / April 5, 2023

ļ»æ Education for Personnel As part of your security awareness program, PCI Requirement 12.6.1 asks that you educate personnel upon hire and at least annually. The PCI DSS recognizes that if your security awareness program does not include periodic refreshers or training, key security policies and procedures may be forgotten or circumvented, which could result in exposed or at-risk critical resources and cardholder data. This education could be different for…

PCI Requirement 12.6 ā€“ Implement a Formal Security Awareness Program to Make All Personnel Aware of the CHD Data Security Policy and Procedures

by Randy Bartels / April 5, 2023

ļ»æ Developing a Security Awareness Program PCI Requirement 12.6 requires that your organization implement a formal security awareness program to make all personnel aware of the cardholder data security policy and procedures. Without compliance with this requirement, how would your program even work properly? If personnel are not educated and aware of their security responsibilities, security safeguards and processes that youā€™ve worked hard to develop and implement may become ineffective…

PCI Requirement 12.5.5 ā€“ Monitor and Control All Access to Data

by Randy Bartels / April 5, 2023

ļ»æ Someone to Monitor and Control All Access to Data PCI Requirement 12.5.5 states, ā€œMonitor and control all access to data.ā€ Really, this is the whole point of PCI compliance, isnā€™t it? Without someone formally responsible for monitoring and giving access to cardholder data, that data does not have the protection it needs. Throughout the PCI DSS, it talks about key management, data custodians, and giving access based on a…