PCI Requirement 12.11.1 – Additional Requirement for Service Providers Only: Maintain Documentation of Quarterly Review Process

by Randy Bartels / April 5, 2023

 Documenting Your Review Process The final requirement in PCI Requirement 12 works in conjunction with PCI Requirement 12.11. PCI Requirement 12.11.1 mandates organizations to maintain documentation of a quarterly review process, which should include documenting results of the reviews and review/sign-off of results by personnel assigned responsibility for the PCI DSS compliance program. Why are PCI Requirement 12.11 and PCI Requirement 12.11.1 listed separately? The PCI DSS explains, “The…

PCI Requirement 12.11 – Additional Requirement for Service Providers Only: Perform Reviews at Least Quarterly to Confirm Personnel Are Following Security Policies and Operational Procedures

by Randy Bartels / April 5, 2023

 Reviewing Your Personnel If you are a service provider, your organization must comply with PCI Requirement 12.11. It requires that you perform reviews at least quarterly to confirm personnel are following security policies and operational procedures. These reviews must cover the following processes: Daily log reviews Firewall rule-set reviews Applying configuration standards to new systems Responding to security alerts Change management processes The PCI DSS explains, “Regularly confirming that…

PCI Requirement 12.10.6 – Develop a Process to Modify and Evolve the Incident Response Plan According to Lessons Learned and to Incorporate Industry Developments

by Randy Bartels / April 5, 2023

 Modifying Your Incident Response Plan Your incident response plan should be able to easily modify so it can be as thorough and up-to-date as possible. PCI Requirement 12.10.6 says, “Develop a process to modify and evolve the incident response plan according to lessons learned and to incorporate industry developments.” This is sort of a management exercise to analyze what could’ve been done better during incident response and to keep…

PCI Requirement 12.10.5 – Include Alerts from Security Monitoring Systems, Including but Not Limited to Intrusion-Detection, Intrusion-Prevention, Firewalls, and File-Integrity Monitoring Systems

by Randy Bartels / April 5, 2023

 Monitoring Mechanisms in Incident Response Plans PCI Requirement 12.10.5 states that your incident response plan should, “Include alerts from security monitoring systems, including but not limited to intrusion-detection, intrusion-prevention, firewalls, and file-integrity monitoring systems.” We’ve talked about these monitoring mechanisms in PCI Requirement 10 and PCI Requirement 11, but what do they have to do with incident response? The PCI DSS explains, “These monitoring systems are designed to focus…

PCI Requirement 12.10.4 – Provide Appropriate Training to Staff with Security Breach Responsibilities

by Randy Bartels / April 5, 2023

 Training Your Incident Response Team PCI Requirement 12.10.4 requires that your organization provides appropriate training to staff with security breach response responsibilities. One type of training that we recommend is table-top incident response exercises. Experts suggest that participating in table-top exercises to simulate a real-world scenario is the best way to prepare and test your incident response plan. When facilitating these exercises at your organization, be sure that the…