Security Responsibilities

PCI Requirement 12.4 establishes the requirement to ensure that the security policy and procedures clearly define information security responsibilities for all personnel. Anyone with access to cardholder data will have some level of security responsibility, and they must be aware of that.

The PCI DSS guidance explains, “Without clearly defined security roles and responsibilities assigned, there could be inconsistent interaction with the security group, leading to unsecured implementation of technologies or use of outdated or unsecured technologies.”

To verify compliance with PCI Requirement 12.4, assessors will take a sample of personnel to interview about security policies and be sure they understand their level of security responsibility.

PCI Requirement 12.4 establishes the requirement to define security policies and procedures for all individuals. I want to emphasize the “all.” Anybody within your environment that has skin in the game around access to cardholder data will have some merit of security responsibilities that they need to tend to. PCI Requirement 12.4 calls out the need to establish those policies and procedures.

Employees with Remote-Access

If you have employees who can access your cardholder data environment from remote-access technologies, you must comply with PCI Requirement 12.3.10. It states, “For personnel accessing cardholder data via remote-access technologies, prohibit the copying, moving, and storage of cardholder data onto local hard drives and removable electronic media, unless explicitly authorized for a defined business need. Where there is an authorized business need, the usage policies must require the data be protected in accordance with all applicable PCI DSS Requirements.”

Consider all employees who work from home; chances are, home networks and environments are not going to be as secure as your cardholder data environment, so cardholder data should never be moved, unless there is a specific business need for it. You must have some policy for prohibiting the copying, moving, and storage of cardholder data into local environments.

The PCI DSS further explains, “To ensure all personnel are aware of their responsibilities to not store or copy cardholder data onto their local personal computers or other media, your policy should clearly prohibit such activities except for personnel that have been explicitly authorized to do so.” Including PCI Requirement 12.3.10 in your usage policies will protect your environment from employees taking cardholder data into unsecure environments.

If you have employees that come in from remote that could access your cardholder data environment, PCI Requirement 12.3.10 requires that you have a process and program in place that would prohibit them from moving, copying, and/or storing cardholder data into their local environment when connected from remote. Think about this: Johnny connects from home and transfers a database down to his environment to work on it. Chances are that his home environment is not as secured as your cardholder data environment. The PCI DSS is looking to establish this as a requirement. There is some leniency here, though. While it is generally prohibited, if you have a business need to support your environment, or your organization needs to do that to support your environment, it’s okay. However, management needs to be aware of that and then apply the appropriate controls.

Vendor Management in Usage Policies

Organizations on the road to PCI compliance must recognize the importance of vendor management. Your usage policies should include a vendor management aspect, outlined by PCI Requirement 12.3.9, “Activation of remote-access technologies for vendors and business partners only when needed by vendors and business partners, with immediate deactivation after use.”

Wherever you have vendors and business partners come into your environment, we’re going to look to ensure that your usage policies stipulate that remote-access technologies are only enabled when absolutely required to support your business. All other times, those accounts should be disabled, and nobody should be able to access them unless they’re approved by management.

Where you have a vendor or a business partner that might come into your environment to support you for one reason or another, we’re going to look to ensure that you have policies, procedures, and controls to make sure that those user accounts are only enabled when absolutely required to support your business. All other times, those accounts should be disabled, and nobody should be able to access them unless they’re approved by management to be opened for your vendors or business partners to come in to support you.

Automatic Disconnect in Your Usage Policies

Remote-access technologies are a constant source of risk for critical resources and cardholder data. This is why PCI Requirement 12.3.8 requires that your usage policies include, “Automatic disconnect of sessions for remote-access technologies after a specific period of inactivity.”

In PCI Requirement 8.1.8, we gave you this scenario: A user walks away from an open machine that has access to critical system components and/or cardholder data. That machine is then used by a malicious individual in the user’s absence, resulting in unauthorized account access and/or misuse. How can PCI Requirement 12.3.8 help prevent a scenario like this? By including an automatic disconnect rule for remote-access technologies in your usage policies, you can minimize the risk of malicious access.

To verify compliance with PCI Requirement 12.3.8, an assessor will need to examine your usage policies to ensure that they require automatic disconnect of sessions for remote-access technologies after a specific period of inactivity, or they will examine configurations for remote-access technologies.

PCI Requirement 12.3.8 stipulates that you have an automatic disconnect of the sessions after a defined period of time. Back in PCI Requirement 8, we talked about having a 15-minute session timeout, but in PCI Requirement 12.3.8, you’re establishing the policy around that particular requirement.

Acceptable Products

Your usage policies, as stated in PCI Requirement 12.3.7, should include a list of company-approved products. This list will correlate with your acceptable uses of technology policy to create strong and secure usage policies. The PCI DSS explains that by defining company-approved products, your organization will be better equipped to manage and control gaps in configurations and operational controls, ensuring that a back door is not opened for attackers.

To test compliance with PCI Requirement 12.3.7, an assessor will need to examine your usage policies to ensure that they include a list of company-approved products, or they may interview your personnel to see if they know which types of products are approved.

You need to maintain a formal list of the technology that’s actually approved to be used in your environment. Your assessor is likely not only going to look to see what that policy is, but they’re then likely to ask you for that list of approved technologies that can be used within your environment.