Blog

PCI Requirement 12.10.1 – Create the Incident Response Plan to Be Implemented in the Event of System Breach

by Randy Bartels / April 5, 2023

Elements of Your Incident Response Plan To develop a thorough incident response plan, PCI Requirement 12.10.1 lists out the elements that should be included in your plan. At a minimum, your plan should include: Roles, responsibilities, communication, and contact strategies in the event of a compromise including notification of the payment brands Specific incident response procedures Business recovery and continuity procedures Data back-up processes Analysis of legal requirements for…

PCI Requirement 12.10 – Implement an Incident Response Plan

by Randy Bartels / April 5, 2023

Incident Response Plans PCI Requirement 12.10 requires organizations to implement an incident response plan and be prepared to respond immediately to a system breach. Incident response plans are incredibly important to business continuity, and we believe that organizations should spend more time developing and testing their plan. The absolute worst thing that could happen in the event of an incident is no one knowing what to do next. There…

PCI Requirement 12.9 – Additional Requirement for Service Providers Only: Service Providers Acknowledge in Writing to Customers That They are Responsible for the Security of Cardholder Data

by Randy Bartels / April 5, 2023

Service Provider Responsibilities If you are a service provider, you must comply with PCI Requirement 12.9, which states, “Service providers acknowledge in writing to customers that they are responsible for the security of cardholder data the service provider possesses or otherwise stores, processes, or transmits on behalf of the customer, or to the extent that they could impact the security of the customer’s cardholder data environment.” PCI Requirement 12.9…

PCI Requirement 12.8.4 and 12.8.5 – Maintain a Program to Monitor Service Providers’ PCI DSS Compliance Status

by Randy Bartels / April 5, 2023

Service Provider Compliance PCI Requirement 12.8.4 requires that your organization maintain a program to monitor service providers’ PCI DSS compliance status at least annually. Your service providers don’t necessarily need to be compliant, but they need to perform the services that they’re providing to you in a compliant way. Implementing this monitoring program and knowing your service providers’ compliance status provides assurance about whether they comply with the same…

PCI Requirement 12.8.3 – Ensure there is an Established Process for Engaging Service Providers

by Randy Bartels / April 5, 2023

Due Diligence with Vendor Relationships PCI Requirement 12.8.3 asks organizations to ensure there is an established process for engaging service providers including proper due diligence prior to engagement. Due diligence is a key component of any compliance objective, but it’s especially important in PCI because the service provider will be handling cardholder data or could impact the security of cardholder data. Due diligence efforts may include examining the service…

PCI Requirement 12.10.1 – Create the Incident Response Plan to Be Implemented in the Event of System Breach

PCI Requirement 12.10 – Implement an Incident Response Plan

PCI Requirement 12.9 – Additional Requirement for Service Providers Only: Service Providers Acknowledge in Writing to Customers That They are Responsible for the Security of Cardholder Data

PCI Requirement 12.8.4 and 12.8.5 – Maintain a Program to Monitor Service Providers’ PCI DSS Compliance Status

PCI Requirement 12.8.3 – Ensure there is an Established Process for Engaging Service Providers

Categories

Newsletter

Learn what you need to get started with our Audit Readiness Guide.