Blog

PCI Requirement 12.3.4 – A Method to Accurately and Readily Determine Owner, Contact Information, and Purpose

by Randy Bartels / December 16, 2022

Identification System Your usage policies should have a method for identifying who an asset-owner is. PCI Requirement 12.3.4 specifically details, “A method to accurately and readily determine owner, contact information, and purpose.” This doesn’t mean you need a label on every device defining who the owner is, but you do need to have an identification system. This could be a serial number that traces back to the owner. Without…

PCI Requirement 12.3.3 – A List of All Devices and Personnel with Access

by Randy Bartels / December 16, 2022

Approved Devices and Personnel with Access To create compliant usage policies, your organization must meet PCI Requirement 12.3.3, which requires you to keep a list of all devices and personnel with access. Lists of approved devices and personnel come up often in the PCI DSS and PCI Requirement 12.3.3. Without this list of all devices and personnel with access, an attack could place their own devices on your network,…

PCI Requirement 12.3.2 – Authentication for Use of the Technology

by Randy Bartels / December 16, 2022

Proper Authentication in Usage Policies We learned about authentication methods in PCI Requirement 7, and that ties in here. The more people who have access to cardholder data, the more risk there is. A crucial aspect of usage policies is authentication. PCI Requirement 12.3.2 says that usage policies must require authentication for the use of technology. If technology is implemented without proper authentication methods, malicious individuals may use this…

PCI Requirement 12.3.1 – Explicit Approval by Authorized Parties

by Randy Bartels / December 16, 2022

Who Approves Usage Policies? Your usage policies, as stated in PCI Requirement 12.3.1, should require explicit approval by authorized parties. The PCI DSS explains that if your usage policies do not require formal approval for implementation of critical technologies, your personnel may innocently implement a solution to a perceived business need, but also open a gap that puts critical systems and cardholder data at risk. To test compliance with…

PCI Requirement 12.3 – Develop Usage Policies for Critical Technologies and Define Proper Use of These Technologies

by Randy Bartels / December 16, 2022

Developing Usage Policies In order to prohibit inappropriate use of devices or technology, PCI Requirement 12.3 requires, “Develop usage policies for critical technologies and define proper use of these technologies.” Critical technologies may be things like laptops, tablets, removable electronic media, or the Internet. If usage policies are not implemented, your personnel could use the critical technologies in a way that violates company policy, allowing malicious individuals to gain…

PCI Requirement 12.3.4 – A Method to Accurately and Readily Determine Owner, Contact Information, and Purpose

PCI Requirement 12.3.3 – A List of All Devices and Personnel with Access

PCI Requirement 12.3.2 – Authentication for Use of the Technology

PCI Requirement 12.3.1 – Explicit Approval by Authorized Parties

PCI Requirement 12.3 – Develop Usage Policies for Critical Technologies and Define Proper Use of These Technologies

Categories

Newsletter

Learn what you need to get started with our Audit Readiness Guide.