PCI Requirement 12 – Maintain a Policy that Addresses Information Security for All Personnel

by Randy Bartels / July 3rd, 2018

We’ve finally made it! Here we are at PCI Requirement 12, the last of the PCI requirements. PCI Requirement 12 states, “Maintain a policy that addresses information security for all personnel.” This requirement is centered around the management of your information security program, which stems from a strong information security policy that sets the tone and expectations for your employees.

In order to create a strong information security policy, PCI Requirement 12 demands that many elements be included, such as:

  • Risk assessment process
  • Usage policies
  • Lists of devices and personnel with access to them
  • Defined authentication methods
  • Acceptable network locations
  • Remote-access rules
  • Executive management responsibilities
  • Security awareness program
  • Personnel training requirements
  • Vendor compliance management
  • Incident response program
  • Alerts from security monitoring systems
  • Documentation of review process

After implementing the other 11 PCI requirements, you’ve finally moved past the technology aspect of PCI. Now, we’re defining how your organization will manage your information security program

PCI Requirement 12 is the last of the PCI DSS requirements. PCI Requirement 12 is really focused on the executive management and the management of the policy and paperwork of the overall program. At this point in the assessment and this point in your program, the technology aspect of things is kind of done. This requirement defines the overall management of your program.