PCI DSS Requirement 12: Establish and maintain a policy that addresses information security for all personnel.
A strong security policy establishes the degree of security for the entire organization and advises staff on what to do and what is expected of them. All personnel should be aware of the sensitivity of data and their responsibilities for protection. Therefore, all employees must be informed about their data protection and security duties.
See Also: PCI DSS Policy and Procedure Documentation
Personnel refers to full-time and part-time employees, temporary employees, vendors, and consultants who “reside” within the company or have some form of access to the cardholder’s data system for PCI DSS Requirement 12.
Let’s take a look at the sub-requirements in PCI DSS Requirement 12.
PCI DSS Requirement 12.1: Establish, publish, maintain, and deploy a security policy.
A company’s information security policy creates a roadmap for implementing security measures to protect the company’s most valuable assets.
All personnel should be aware of their data sensitivity and protection responsibilities. Information security policy specifies the rules to be followed regarding the sensitivity and protection responsibilities of the employees.
PCI DSS Requirement 12.1.1: Review the security policy at least annually and update it when the environment changes.
Security threats and protection methods are evolving rapidly. If the security policy is not updated to reflect the relevant changes, new safeguards to combat threats will not be addressed.
The security policy should, therefore, be reviewed annually to address current security threats and protection methods. This review should also be carried out in the event of any changes to the environment.
PCI DSS Requirement 12.2: Establish and implement a risk assessment process.
Risk assessment enables an organization to identify threats and associated vulnerabilities that can adversely affect their business. Different examples of risk assessments include cybercrime, web attacks, and malicious POS software.
Resources can be effectively allocated to implement controls that reduce the likelihood or potential impact of the threat identified after risk assessment. Risk assessments should be conducted at least annually and after significant changes.
In this way, organizational changes, developing threats, trends, and technologies can be aware of time’s necessary measures.
The risk assessment process should include:
- It should be done at least once a year and when significant changes occur in the environment. (e.g., acquisition, merger, relocation, etc.),
- Identify critical assets, threats, and vulnerabilities.
- Include a formal, documented risk analysis results.
Examples of risk assessment methodologies are OCTAVE, ISO 27005, or NIST SP 800-30.
PCI DSS Requirement 12.3: Develop usage policies for critical technologies and define these technologies’ acceptable use.
With personnel usage policies, the company can prohibit certain devices and other technologies or guide correct use and application for personnel.
Where usage policies are not in place, staff can use technology to violate company policy, allowing malicious individuals to gain access to critical systems and cardholder data.
Remote access, wireless technologies, laptops, tablets, portable electronic media, e-mail use, and the Internet can be counted among critical technology examples.
In the absence of approval to implement critical technologies, individual staff can implement a business need solution. But this solution, implemented without approval, can also open a huge hole exposing critical systems and data to malicious people.
PCI DSS Requirement 12.3.2: Authentication mechanisms should be used in the use of technology.
If the technology is implemented without adequate protection, unauthorized persons can easily access critical systems and cardholder data using unsafe devices.
Therefore, usage policies should include processes that verify user identity with passwords or other authentication elements for all technology uses.
PCI DSS Requirement 12.3.3: A list of all devices and personnel with access to these devices should be kept.
Malicious individuals can breach physical security and place their own devices as a “backdoor” to the network. Personnel can also bypass procedures and install various devices in the environment without permission.
Maintaining an accurate inventory with proper device labeling enables unapproved installations to be identified quickly and makes it easier to check approved installations.
PCI DSS Requirement 12.3.4: Establish a method that defines the device’s owner, contact information, and purpose.
Establishing a formal identification method for devices facilitates the devices’ control and control by specifying their responsible and purpose. Therefore, the owner, contact information, and purpose of all devices with built-in inventory controls must be determined.
Using tagging as a method, information such as code that can link the device to its owner, contact information, and purpose can be used.
PCI DSS Requirement 12.3.5-7: Usage policies should define the following items.
By defining the acceptable business use and location of approved devices and technology, companies can better manage and control gaps in configurations and operational controls.
Acceptable usage policies will prevent a malicious person from opening a “back door” to access critical systems and cardholder data.
- Acceptable uses of technology
- Acceptable network locations for technologies
- List of company approved products
PCI DSS Requirement 12.3.8-9: Usage policies should include the following items for remote access technologies.
Remote access technologies are essential “backdoors” through which critical resources and cardholder data can be accessed frequently. Disconnecting or restricting remote access technologies when not in use will minimize access to networks and thus risk.
See Also: PCI DSS Remote Access Requirements – What You Need to Know
See Also: PCI DSS Session Timeout Requirements
Examples of remote access technologies include your POS vendor, other vendors, or business partners to support your systems.
- After a certain period of inactivity, sessions for remote access technologies should be automatically terminated.
- Remote access technologies should only be used when needed by manufacturers and business partners and should be disabled immediately after use.
PCI DSS Requirement 12.3.10: Prohibit copying, moving, and storing cardholder data to local hard drives and removable electronic media for personnel accessing cardholder data through remote access technologies.
Personal access to cardholder data via remote access technologies should be prohibited from copying, transferring, and storing cardholder data to local hard drives and removable electronic media unless explicitly authorized for a defined job.
To ensure that all personnel is aware of their responsibility not to store or copy cardholder data on their local personal computers or other media, your policy should prohibit such activities, except expressly authorized personnel.
When there is an authoritative business need, usage policies should require all applicable PCI DSS requirements to protect that data. Storing or copying cardholder data to a local hard drive or other media must comply with all applicable PCI DSS requirements.
PCI DSS Requirement 12.4: Ensure that the security policy and procedures clearly define all personnel’s information security responsibilities.
Suppose clearly defined security roles and responsibilities are not assigned. In that case, the relationship with the security group may be inconsistent, leading to the unsafe implementation of technologies or the use of outdated and unsafe technologies.
PCI DSS Requirement 12.4.1: Additional requirement for service providers only: Senior management should establish a PCI DSS compliance program outlining their responsibilities for protecting cardholder data.
This requirement applies only if the organization being evaluated is a service provider.
The assignment of PCI DSS Compliance Responsibilities to senior management provides executive-level visibility to the PCI DSS Compliance Program. It provides an opportunity to ask appropriate questions to determine program effectiveness and influence strategic priorities.
The PCI DSS compliance program’s overall responsibility may be assigned to individual roles or business units within the organization. They may include senior management, C-level positions, the board of directors, or equivalent positions.
Certain titles may vary depending on the organizational structure. The level of detail to be provided to the top management should be appropriate for the organization and target audience.
The PCI DSS compliance program should include the following items:
- Overall accountability for maintaining PCI DSS compliance
- Defining bylaws for the PCI DSS compliance program
- Defining communication ways with senior management
PCI DSS Requirement 12.5 1-5: Assign information security management responsibilities to an individual or team as follows.
Each person or team responsible for managing information security should be aware of their responsibilities and related roles through a specific policy. Gaps in processes without accountability over responsibilities can open access to critical resources or cardholder data.
Organizations should also establish transition or backup plans for key personnel to avoid possible gaps in security duties that could result in non-assignment of responsibilities and hence non-performance.
- Establish, document, and distribute security policies and procedures.
- Monitor, analyze, and distribute security alerts and information to appropriate personnel.
- Establish, document, and distribute safety response and escalation procedures to ensure timely and effective handling of all incidents.
- Monitor and manage user accounts, including additions, deletions, and changes.
- Monitor and control all access to data.
The following information security responsibilities should be formally assigned to information security policies and procedures:
- Information security should be formally appointed to a Chief Security Officer or other security-knowledgeable management members.
- Formal responsibility for establishing, documenting, and distributing security policies and procedures.
- Formal responsibility for monitoring and analyzing security alerts and distributing information to appropriate information security and business unit management personnel.
- Formal responsibility for establishing, documenting, and distributing security incident response and escalation procedures.
- Responsibility for managing the user account and authentication management should be formally appointed.
- Formal responsibility for monitoring and controlling all access to data.
PCI DSS Requirement 12.6: Implement a formal security awareness program to ensure that all personnel knows cardholder data security policy and procedures.
If the personnel is not trained about their security responsibilities, the implemented security measures and processes may become ineffective due to errors or deliberate actions.
See Also: Implementing a Security Awareness Program
PCI DSS Requirement 12.6.1: Train personnel on security after recruitment and at least annually.
If the security awareness program does not include periodic refresh sessions, important security processes and procedures can be forgotten or skipped. As a result of forgotten information can reveal critical resources and cardholder data.
The security awareness program should provide multiple methods to communicate awareness and train staff. The methods to be applied may vary depending on the staff role and the level of access to cardholder data.
Examples of methods are posters, letters, notes, web-based training, meetings, and promotions.
PCI DSS Requirement 12.6.2: Require personnel to confirm that they have read and understood the security policy and procedures at least once a year.
Requesting employee consent in writing or electronically helps ensure that they have read and understood security policies and procedures and are committed to complying with those policies and will continue to do so.
PCI DSS Requirement 12.7: Perform background screening of potential personnel before recruiting to minimize the risk of attack from internal sources.
Conducting thorough background research before hiring potential personnel expected to be given access to cardholder data will reduce the risk of unauthorized use of PANs and other cardholder data by persons with a suspicious or criminal background.
Examples of background inspections include past employment history, criminal record, credit history, and reference inspections.
If a service provider shares cardholder data with another service provider, policies and procedures must be established and implemented to ensure that this data is constantly protected and service providers enforce requirements.
See Also: What Are the PCI DSS Third-Party Service Provider Management Requirements
Examples of different service providers are managed service providers such as storage facilities, web hosting companies or security service providers, and companies that receive data for modeling fraudulent transactions.
PCI DSS Requirement 12.8.1: Keep a list of the service providers from which you get service.
Keeping a list of all the service providers you service determines how far the potential risk extends outside the organization and makes it easier to control service providers.
PCI DSS Requirement 12.8.2: Make a written agreement that includes a confirmation that service providers are responsible for the security of cardholder data stored, processed, or transmitted or may affect the customer’s security.
The service providers’ acceptance of liability demonstrates their commitment to ensuring the proper security of cardholder data. The extent to which the service provider is responsible for cardholder data security will depend on the particular service and the agreement between the provider and the assessed organization.
The acceptance of the liability agreement is intended to promote a consistent level of understanding between the parties regarding the applicable responsibilities of the PCI DSS. For example, the agreement may contain the applicable PCI DSS requirements to be maintained as part of its service.
The exact expression of acceptance will depend on the agreement between the two parties, the details of the service provided, and the responsibilities given to each party. The acceptance does not have to include the full expression provided in this requirement.
PCI DSS Requirement 12.8.3: Establish and implement a process for delegating service providers.
It should include conducting a risk analysis study and a thorough examination of the solution offered by the provider before establishing a formal relationship with the provider within the process established to assign service providers.
Risk analysis, special due diligence processes, and targets will differ for each organization. Examples of issues to consider include the provider’s reporting practices, breach notification and incident response procedures, details of how PCI DSS responsibilities are assigned between each party, how the provider validates PCI DSS compliance, and evidence will provide.
PCI DSS Requirement 12.8.4-5: Establish a schedule to monitor service providers’ PCI DSS compliance status at least annually.
Knowing your service providers’ PCI DSS compliance status will provide assurance and awareness of whether they comply with the same requirements that your organization is subject to.
If the service provider offers a variety of services, this requirement must apply to the services provided to the client and services under the customer’s PCI DSS assessment.
The specific information that the organization holds will depend on the specific agreement and type of service with its providers. The objective is for the assessed organization to understand the PCI DSS requirements that its providers agree to meet.
Besides, it is necessary to have information about which service provider is managed by the PCI DSS requirements and managed by the organization.
PCI DSS Requirement 12.9: Additional requirement for service providers only: Service providers must confirm to customers in writing that they are responsible for, or may affect, the security of cardholder data that they own or otherwise store or transmit on behalf of the customer.
This requirement applies only when the organization being evaluated is a service provider.
In conjunction with PCI DSS Requirement 12.8.2, this requirement is intended to promote a consistent level of understanding between service providers and their customers about applicable PCI DSS responsibilities.
The acceptance of service providers demonstrates their commitment to ensuring the proper security of cardholder data obtained from their customers.
The service provider’s internal policies and procedures for customer engagement processes and all templates used for written agreements must include providing an enforceable PCI DSS approval to their customers.
The service provider’s method of providing written consent must be agreed between the provider and its customers.
The exact expression of acceptance will depend on the agreement between the two parties, the details of the service provided, and the responsibilities given to each party. The acceptance does not have to include the full expression provided in this requirement.
PCI DSS Requirement 12.10: Create and implement an incident response plan. Be prepared to deal with a breach immediately.
In the absence of a security incident response plan that is properly and completely propagated by the responsible parties, it creates confusion, and unified response to the breach cannot be given.
See Also: Implementing a Successful Incident Response Plan for PCI DSS
Disruptions like these can create more business cuts, exposure to unnecessary media pressure, and new legal obligations.
PCI DSS Requirement 12.10.1: Create an incident response plan that includes the following items to be implemented in case of a breach.
The incident response plan should be comprehensive and include all key elements to ensure that your company responds effectively in the event of a breach that could affect cardholder data.
See Also: What are the PCI DSS Business Continuity Requirements?
See Also: PCI DSS Disaster Recovery Requirements
The incident response plan to be implemented in the event of a breach should address the following:
- Roles, responsibilities, and contact information and communication strategies should be determined in the incident response plan.
- Special incident response procedures should be established.
- Business recovery and continuity procedures should be established.
- Data backup processes should be determined.
- Legal requirements should be analyzed.
- All critical system components should be covered, and their responses determined.
- Reference of incident response procedures from payment brands should be taken or included in the incident.
See Also: What are PCI DSS Backup Requirements
PCI DSS Requirement 12.10.2: Review and test the Incident Response plan at least annually.
Important steps can be missed if proper testing and reviews are not done, resulting in increased exposure to vulnerabilities during an incident.
PCI DSS Requirement 12.10.3-4: Identify specific personnel who can work 24/7 to respond to alerts.
In the absence of a trained and ready incident response team, long-term damage may occur in the network, and critical data and systems can be used inappropriately. For this reason, evidence could be lost, which could hinder the success of the post-incident investigation.
A responsible person should be present for 24/7 incident response and monitoring coverage for any evidence of unauthorized activity, detection of unauthorized wireless access points, critical IDS alerts, or reports of unauthorized critical system or content file changes.
Also, appropriate training should be provided to personnel with security breach response responsibilities.
PCI DSS Requirement 12.10.5: Create necessary alerts from all security monitoring systems such as intrusion detection, intrusion prevention, firewalls, and file integrity monitoring systems.
These monitoring systems are designed to focus on the potential risk of data loss. Therefore, the alerts generated by these systems are critical to take quick action to prevent a breach and should be included in incident response processes.
PCI DSS Requirement 12.10.6: Develop a process to modify and improve the incident response plan based on lessons learned and incorporate industry developments.
Including “lessons learned” in the incident response plan after an incident helps the plan stay current and react to emerging threats and security trends.
PCI DSS Requirement 12.11: Additional requirement for service providers only: Conduct at least quarterly reviews to verify that personnel follows security policies and operational procedures.
This requirement applies only when the organization being evaluated is a service provider.
Regularly confirming that security policies and procedures are followed provides assurance that expected controls are operating effectively and as intended.
The purpose of these reviews is not to re-perform other PCI DSS requirements, but merely to confirm whether the procedures were followed as expected.
Reviews should cover the following processes:
- Daily log reviews
- Firewall rule set reviews.
- Applying configuration standards to new systems
- Responding to security alerts
- Change management processes
PCI DSS Requirement 12.11.1: Additional requirement for service providers only: Keep documentation of the quarterly review process.
This requirement applies only when the organization being evaluated is a service provider.
The purpose of independent controls is to confirm whether security activities are carried out continuously. These reviews can also be used to verify that appropriate evidence is retained to help the organization prepare for the next PCI DSS assessment.
Review documents to be retained should include the following:
- Results reports of the examinations
- Review and signing of results by personnel assigned responsibility for the PCI DSS compliance program.
For detailed information, see the PCI DSS Quick Reference Guide from the PCI SSC Documentation library.
To review all of the PCI DSS Requirements, you can review our PCI DSS Requirements and PCI Compliance articles.
