PCI DSS FAQ - Payment Card Industry (PCI) Data Security Standard Discussion Forum > Payment Card Industry Data Security Standard Frequently Asked Questions (PCI DSS FAQ) > Maintain an Information Security Policy > [PCI_DSS] Requirement 12: Maintain a policy that addresses information security

1. 12.1 Establish, publish, maintain, and disseminate a security policy that accomplishes the following:
2. 12.1.1 Addresses all requirements in this specification
3. 12.1.2 Includes an annual process that identifies threats, and vulnerabilities, and results in a formal risk assessment
4. 12.1.3 Includes a review at least once a year and updates when the environment changes
5. 12.2 Develop daily operational security procedures that are consistent with requirements in this specification (for example, user account maintenance procedures, and log review procedures).
6. 12.3 Develop usage policies for critical employee-facing technologies (such as modems and wireless) to define proper use of these technologies for all employees and contractors. Ensure these usage policies require the following:
7. 12.3.1 Explicit management approval
8. 12.3.2 Authentication for use of the technology
9. 12.3.3 A list of all such devices and personnel with access
10. 12.3.4 Labeling of devices with owner, contact information, and purpose
11. 12.3.5 Acceptable uses of the technology
12. 12.3.6 Acceptable network locations for the technologies
13. 12.3.7 List of company-approved products
14. 12.3.8 Automatic disconnect of modem sessions after a specific period of inactivity
15. 12.3.9 Activation of modems for vendors only when needed by vendors, with immediate deactivation after use
16. 12.3.10 When accessing cardholder data remotely via modem, prohibition of storage of cardholder data onto local hard drives, floppy disks, or other external media. Prohibition of cut-and-paste and print functions during remote access
17. 12.4 Ensure that the security policy and procedures clearly define information security responsibilities for all employees and contractors.
18. 12.5 Assign to an individual or team the following information security management responsibilities: 12.5.1 through 12.5.5.
19. 12.5.1 Establish, document, and distribute security policies and procedures
20. 12.5.2 Monitor and analyze security alerts and information, and distribute to appropriate personnel
21. 12.5.3 Establish, document, and distribute security incident response and escalation procedures to ensure timely and effective handling of all situations
22. 12.5.4 Administer user accounts, including additions, deletions, and modifications
23. 12.5.5 Monitor and control all access to data
24. 12.6 Implement a formal security awareness program to make all employees aware of the importance of cardholder data security:
25. 12.6.1 Educate employees upon hire and at least annually (for example, by letters, posters, memos, meetings, and promotions)
26. 12.6.2 Require employees to acknowledge in writing that they have read and understood the company's security policy and procedures
27. 12.7 Screen potential employees to minimize the risk of attacks from internal sources. For those employees such as store cashiers who only have access to one card number at a time when facilitating a transaction, this requirement is a recommendation only.
28. 12.8 If cardholder data is shared with service providers, then contractually the following is required:
29. 12.8.1 Service providers must adhere to the PCI DSS requirements
30. 12.8.2 Agreement that includes an acknowledgement that the service provider is responsible for the security of cardholder data the provider possesses
31. 12.9 Implement an incident response plan. Be prepared to respond immediately to a system breach.
32. 12.9.1 Create the incident response plan to be implemented in the event of system compromise. Ensure the plan addresses, at a minimum, specific incident response procedures, business recovery and continuity procedures, data backup processes, roles and responsibilities, and communication and contact strategies (for example, informing the Acquirers and credit card associations)
33. 12.9.2 Test the plan at least annually
34. 12.9.3 Designate specific personnel to be available on a 24/7 basis to respond to alerts
35. 12.9.4 Provide appropriate training to staff with security breach response responsibilities
36. 12.9.5 Include alerts from intrusion detection, intrusion prevention, and file integrity monitoring systems
37. 12.9.6 Develop process to modify and evolve the incident response plan according to lessons learned and to incorporate industry developments
38. 12.10 All processors and service providers must maintain and implement policies and procedures to manage connected entities, to include the following
39. 12.10.1 Maintain list of connected entities
40. 12.10.2 Ensure proper due diligence is conducted prior to connecting an entity
41. 12.10.3 Ensure the entity is PCI DSS compliant
42. 12.10.4 Connect and disconnect entities by following an established process

vBulletin® v3.7.4, Copyright ©2000-2009, Jelsoft Enterprises Ltd.