PCI Requirement 12.6 – Implement a Formal Security Awareness Program to Make All Personnel Aware of the CHD Data Security Policy and Procedures

by Randy Bartels / April 5, 2023

 Developing a Security Awareness Program PCI Requirement 12.6 requires that your organization implement a formal security awareness program to make all personnel aware of the cardholder data security policy and procedures. Without compliance with this requirement, how would your program even work properly? If personnel are not educated and aware of their security responsibilities, security safeguards and processes that you’ve worked hard to develop and implement may become ineffective…

PCI Requirement 12.5.5 – Monitor and Control All Access to Data

by Randy Bartels / April 5, 2023

 Someone to Monitor and Control All Access to Data PCI Requirement 12.5.5 states, “Monitor and control all access to data.” Really, this is the whole point of PCI compliance, isn’t it? Without someone formally responsible for monitoring and giving access to cardholder data, that data does not have the protection it needs. Throughout the PCI DSS, it talks about key management, data custodians, and giving access based on a…

PCI Requirement 12.5.4 – Administer User Accounts, Including Additions, Deletions, and Modifications

by Randy Bartels / December 22, 2022

 Someone to Administer User Accounts In PCI Requirement 8.1.2, we learned there must be a formal program of control for additions, deletions, and modifications of user IDs and other credentials. This ties right in with PCI Requirement 12.5.4, which states there must be someone assigned to administer user accounts, including additions, deletions, and modifications. Think about all of the additions, deletions, and modifications that has occurred within your organization…

PCI Requirement 12.5.3 – Establish, Document, and Distribute Security Incident Response and Escalation Procedures to Ensure Timely and Effective Handling of All Situations

by Randy Bartels / December 22, 2022

 Someone to Respond to Incidents Incident response plans are crucial to PCI compliance. PCI Requirement 12.5.3 requires that you have an individual assigned to establish, document, and distribute security incident response and escalation procedures to ensure timely and effective handling of all situations. Without this role, incident response programs could be completely ineffective and security incidents could lead to great damage. For this role, it’s important that organizations develop…

PCI Requirement 12.5.2 – Monitor and Analyze Security Alerts and Information, and Distribute to Appropriate Personnel

by Randy Bartels / December 22, 2022

 Someone to Monitor and Analyze Security Alerts In PCI Requirement 10, we discussed a critical aspect of data protection: logging and tracking. Implementing logging mechanisms at your organization gives you the ability to track user activities, which is crucial in preventing, detecting, and minimizing the consequences of a data breach. Without logging and tracking, it’s almost impossible to find the source of the data breach or compromise. In PCI…