PCI Requirement 12: Maintaining an Information Security Policy
When creating an information security policy, an organization must create a policy that addresses information security for all personnel. Let’s emphasize “all” – this policy is not just for the IT department but is for anyone that would/could be involved in some capacity with storing, processing, and transmitting cardholder data. PCI Requirement 12 helps oversee and govern an organization’s PCI DSS compliance program.
Requirement 12.1 – You must keep a current set of policies accessible to all relevant personnel.
Requirement 12.2 – Risk Assessment is performed at least annually, and also performed when business objectives chance.
Requirement 12.3 – Develop usage policies for critical technologies.
Requirement 12.4 – Security policies must define responsibilities for all users.
Requirement 12.5 – Security management and activities must be formally assigned.
Requirement 12.6 – Implement a formal security awareness program.
Requirement 12.7 – Screen potential personnel prior to hire to minimize the risk of attacks from internal sources.
Requirement 12.8 – Maintain and implement policies and procedures to manage service providers with whom cardholder data is shared, or that could affect the security of cardholder data.
Requirement 12.9 – Service providers must acknowledge in writing that they are responsible for the security of cardholder data they possess or store, process, transmit on behalf of the customer, or to the extent that they could impact the security of the cardholder data environment.
Requirement 12.10 – Implement an incident response plan.
The PCI DSS isn’t just a technical standard; it includes people, processes, and technology. Furthermore, your organization’s policies and procedures are not just pieces of paper. They are an executive-level edict that define how the business will be run. It’s not enough to have policies and procedures. You must make sure that your policies and procedures are effective and actually implemented to ensure they are functioning properly and as you designed them. If your policies aren’t functioning, then you don’t have a policy.