PCI Requirement 12.10.3 – Designate Specific Personnel to Be Available on a 24/7 Basis

by Randy Bartels / April 5, 2023

 24/7 Incident Response Team Even if you’re a small organization, PCI Requirement 12.10.3 requires that you designate specific personnel to be available on a 24/7 basis to respond to alerts. The PCI DSS explains, “Without a trained and readily available incident response team, extended damage to the network could occur, and critical data and systems may become ‘polluted’ by inappropriate handling of the targeted systems. This can hinder the…

PCI Requirement 12.10.2 – Review and Test the Plan at Least Annually

by Randy Bartels / April 5, 2023

 Testing Your Incident Response Plan You must test your incident response plan. What’s the point of the plan if you aren’t sure that it works? Without appropriate testing, major steps or gaps could be missed, which could result in increased exposure during a real incident. PCI requirement 12.10.2 states, “Review and test the plan, including all elements listed in Requirement 12.10.1, at least annually.” To verify compliance with PCI…

PCI Requirement 12.10.1 – Create the Incident Response Plan to Be Implemented in the Event of System Breach

by Randy Bartels / April 5, 2023

 Elements of Your Incident Response Plan To develop a thorough incident response plan, PCI Requirement 12.10.1 lists out the elements that should be included in your plan. At a minimum, your plan should include: Roles, responsibilities, communication, and contact strategies in the event of a compromise including notification of the payment brands Specific incident response procedures Business recovery and continuity procedures Data back-up processes Analysis of legal requirements for…

PCI Requirement 12.10 – Implement an Incident Response Plan

by Randy Bartels / April 5, 2023

 Incident Response Plans PCI Requirement 12.10 requires organizations to implement an incident response plan and be prepared to respond immediately to a system breach. Incident response plans are incredibly important to business continuity, and we believe that organizations should spend more time developing and testing their plan. The absolute worst thing that could happen in the event of an incident is no one knowing what to do next. There…

PCI Requirement 12.9 – Additional Requirement for Service Providers Only: Service Providers Acknowledge in Writing to Customers That They are Responsible for the Security of Cardholder Data

by Randy Bartels / April 5, 2023

 Service Provider Responsibilities If you are a service provider, you must comply with PCI Requirement 12.9, which states, “Service providers acknowledge in writing to customers that they are responsible for the security of cardholder data the service provider possesses or otherwise stores, processes, or transmits on behalf of the customer, or to the extent that they could impact the security of the customer’s cardholder data environment.” PCI Requirement 12.9…