PCI 12:
Requirement 12: Maintain a policy that addresses information security.
- A strong security policy sets the security tone for the whole company, and lets employees know what is expected of them. All employees should be aware of the sensitivity of data and their responsibilities for protecting it.
- PCI-12.1 Establish, publish, maintain, and disseminate a security policy that:
- PCI-12.3 Develop usage policies for critical employee-facing technologies, such as modems and wireless, to define proper use of these technologies for all employees and contractors. Ensure these usage policies require:
- PCI-12.5 Assign to an individual or team the following information security management responsibilities:
- Maintain an Information Security Policy
- PCI-12.6 Make all employees aware of the importance of cardholder information security.
- For those employees who only have access to one card number at a time to facilitate a transaction, such as store cashiers, this requirement is a recommendation only.
- PCI-12.8 Contractually require all third parties with access to cardholder data to adhere to payment card industry security requirements. At a minimum, the agreement should address:
- PCI-12.8.2 Ownership by each Payment Card brand, Acquirer, and Merchants of cardholder data and acknowledgement that such data can ONLY be used for assisting these parties in completing a transaction, supporting a loyalty program, providing fraud control services, or for others uses specifically required by law.
- PCI-12.8.2 Ownership by each Payment Card brand, Acquirer, and Merchants of cardholder data and acknowledgement that such data can ONLY be used for assisting these parties in completing a transaction, supporting a loyalty program, providing fraud control services, or for others uses specifically required by law.
- PCI-12.8.4 Audit provisions that ensure that Payment Card Industry representative, or a Payment Card Industry approved third party, will be provided with full cooperation and access to conduct a thorough security review after a security intrusion. The review will validate compliance with the Payment Card Industry Data Security Standard for protecting cardholder data.
- PCI-12.8.4 Audit provisions that ensure that Payment Card Industry representative, or a Payment Card Industry approved third party, will be provided with full cooperation and access to conduct a thorough security review after a security intrusion. The review will validate compliance with the Payment Card Industry Data Security Standard for protecting cardholder data.
- PCI-12.9 Implement an incident response plan. Be prepared to respond immediately to a system breach.
- PCI-12.9.1 Create an incident response plan to be used in the event of system compromise. Ensure the plan addresses, at a minimum, specific incident response procedures, business recovery and continuity procedures, data backup processes, roles and responsibilities, and communication and contact strategies (e.g., informing Acquirers and credit card associations.).
- PCI-12.9.1 Create an incident response plan to be used in the event of system compromise. Ensure the plan addresses, at a minimum, specific incident response procedures, business recovery and continuity procedures, data backup processes, roles and responsibilities, and communication and contact strategies (e.g., informing Acquirers and credit card associations.).
--Mdpeters 15:11, 7 July 2006 (EDT)