PCI Archives

PCI Requirement 12.3.1 – Explicit Approval by Authorized Parties

by Randy Bartels / December 16, 2022

Who Approves Usage Policies? Your usage policies, as stated in PCI Requirement 12.3.1, should require explicit approval by authorized parties. The PCI DSS explains that if your usage policies do not require formal approval for implementation of critical technologies, your personnel may innocently implement a solution to a perceived business need, but also open a gap that puts critical systems and cardholder data at risk. To test compliance with…

PCI Requirement 12.3 – Develop Usage Policies for Critical Technologies and Define Proper Use of These Technologies

by Randy Bartels / December 16, 2022

Developing Usage Policies In order to prohibit inappropriate use of devices or technology, PCI Requirement 12.3 requires, “Develop usage policies for critical technologies and define proper use of these technologies.” Critical technologies may be things like laptops, tablets, removable electronic media, or the Internet. If usage policies are not implemented, your personnel could use the critical technologies in a way that violates company policy, allowing malicious individuals to gain…

PCI Requirement 12.2 – Implement a Risk Assessment Process

by Randy Bartels / December 16, 2022

What is a Risk Assessment? Most information security frameworks require a formally documented, annual risk assessment, and the PCI DSS is no different. PCI Requirement 12.2 focuses on risk assessments. We recommend that you implement a risk assessment process that is based off an industry best practices, but PCI Requirement 12.2 states that you should implement a risk assessment process that includes the following characteristics: Performed annually or after…

PCI Requirement 12.1 & 12.1.1 – Establish, Publish, Maintain, and Disseminate a Security Policy

by Randy Bartels / December 16, 2022

Establishing an Information Security Policy PCI Requirement 12.1 states, “Establish, publish, maintain, and disseminate a security policy.” Pretty straightforward, right? Guidance on information security policies is the focus of PCI Requirement 12. An organization’s information security policy creates the foundation for implementing security measures to protect valuable assets. To comply with PCI Requirement 12.1, organizations must meet all four steps: establish, publish, maintain, and disseminate. When you’ve determined what’s…

PCI Requirement 12 – Maintain a Policy that Addresses Information Security for All Personnel

by Randy Bartels / December 16, 2022

We’ve finally made it! Here we are at PCI Requirement 12, the last of the PCI requirements. PCI Requirement 12 states, “Maintain a policy that addresses information security for all personnel.” This requirement is centered around the management of your information security program, which stems from a strong information security policy that sets the tone and expectations for your employees. In order to create a strong information security policy,…

Blog

PCI

PCI Requirement 12.3.1 – Explicit Approval by Authorized Parties

PCI Requirement 12.3 – Develop Usage Policies for Critical Technologies and Define Proper Use of These Technologies

PCI Requirement 12.2 – Implement a Risk Assessment Process

PCI Requirement 12.1 & 12.1.1 – Establish, Publish, Maintain, and Disseminate a Security Policy

PCI Requirement 12 – Maintain a Policy that Addresses Information Security for All Personnel

Categories

Newsletter

Learn what you need to get started with our Audit Readiness Guide.