PCI 12:

From HORSE - Holistic Operational Readiness Security Evaluation.
Jump to navigation Jump to search

Requirement 12: Maintain a policy that addresses information security.


  • A strong security policy sets the security tone for the whole company, and lets employees know what is expected of them. All employees should be aware of the sensitivity of data and their responsibilities for protecting it.




PCI-12.1 Establish, publish, maintain, and disseminate a security policy that:


Key-control.jpgPCI-12.1.1 Addresses all requirements in this specification.


Key-control.jpgPCI-12.1.2 Includes an annual process that identifies threats, and vulnerabilities, and results in a formal risk assessment.


Key-control.jpgPCI-12.1.3 Includes a review at least once a year and updates when the environment changes.




Key-control.jpgPCI-12.2 Develop daily operational security procedures that are consistent with requirements in this specification (e.g., user account maintenance procedures, log review procedures).




PCI-12.3 Develop usage policies for critical employee-facing technologies, such as modems and wireless, to define proper use of these technologies for all employees and contractors. Ensure these usage policies require:


Key-control.jpgPCI-12.3.1 Explicit management approval.


Key-control.jpgPCI-12.3.2 Authentication for use of the technology.


Key-control.jpgPCI-12.3.3 A list of all such devices and personnel with access.


Key-control.jpgPCI-12.3.4 Labeling of devices with owner, contact information, and purpose.


Key-control.jpgPCI-12.3.5 Acceptable uses of the technology.


Key-control.jpgPCI-12.3.6 Acceptable network locations for these technologies.


Key-control.jpgPCI-12.3.7 A list of company-approved products.


Key-control.jpgPCI-12.3.8 Automatic disconnect of modem sessions after a specific period of inactivity.


Key-control.jpgPCI-12.3.9 Activation of modems for vendors only when needed by vendors, with immediate deactivation after use.


Key-control.jpgPCI-12.3.10 When accessing cardholder data remotely via modem, disable storage of cardholder data onto local hard drives, floppy disks or other external media. Also disable cut-and-paste, and print functions during remote access.




Key-control.jpgPCI-12.4 Ensure the security policy and procedures clearly define information security responsibilities for all employees and contractors.




PCI-12.5 Assign to an individual or team the following information security management responsibilities:


Key-control.jpgPCI-12.5.1 Establish, document, and distribute security policies and procedures.


Key-control.jpgPCI-12.5.2 Monitor and analyze security alerts and information, and distribute to appropriate personnel.


Key-control.jpgPCI-12.5.3 Establish, document, and distribute security incident response and escalation procedures to ensure timely and effective handling of all situations.


Key-control.jpgPCI-12.5.4 Administer user accounts, including additions, deletions, and modifications.


Key-control.jpgPCI-12.5.5 Monitor and control all access to data.


  • Maintain an Information Security Policy




PCI-12.6 Make all employees aware of the importance of cardholder information security.


Key-control.jpgPCI-12.6.1 Educate employees (e.g., through posters, letters, memos, meetings, and promotions).


Key-control.jpgPCI-12.6.2 Require employees to acknowledge in writing they have read and understood the company’s security policy and procedures.




Key-control.jpgPCI-12.7 Screen potential employees to minimize the risk of attacks from internal sources.


  • For those employees who only have access to one card number at a time to facilitate a transaction, such as store cashiers, this requirement is a recommendation only.




PCI-12.8 Contractually require all third parties with access to cardholder data to adhere to payment card industry security requirements. At a minimum, the agreement should address:


Key-control.jpgPCI-12.8.1 Acknowledgement that the 3rd party is responsible for security of cardholder data in their possession.


Key-control.jpgPCI-12.8.2 Ownership by each Payment Card brand, Acquirer, and Merchants of cardholder data and acknowledgement that such data can ONLY be used for assisting these parties in completing a transaction, supporting a loyalty program, providing fraud control services, or for others uses specifically required by law.


Key-control.jpgPCI-12.8.3 Business continuity in the event of a major disruption, disaster or failure.


Key-control.jpgPCI-12.8.4 Audit provisions that ensure that Payment Card Industry representative, or a Payment Card Industry approved third party, will be provided with full cooperation and access to conduct a thorough security review after a security intrusion. The review will validate compliance with the Payment Card Industry Data Security Standard for protecting cardholder data.


Key-control.jpgPCI-12.8.5 Termination provision that ensures that 3rd party will continue to treat cardholder data as confidential.




PCI-12.9 Implement an incident response plan. Be prepared to respond immediately to a system breach.


Key-control.jpgPCI-12.9.1 Create an incident response plan to be used in the event of system compromise. Ensure the plan addresses, at a minimum, specific incident response procedures, business recovery and continuity procedures, data backup processes, roles and responsibilities, and communication and contact strategies (e.g., informing Acquirers and credit card associations.).


Key-control.jpgPCI-12.9.2 Test the plan at least annually.


Key-control.jpgPCI-12.9.3 Designate specific personnel to be available on a 24/7 basis to respond to alerts.


Key-control.jpgPCI-12.9.4 Provide appropriate training to staff with security breach response responsibilities.


Key-control.jpgPCI-12.9.5 Include alerts from intrusion detection, intrusion prevention, and file integrity monitoring systems.


Key-control.jpgPCI-12.9.6 Have a process to modify and evolve the incident response plan according to lessons learned and to incorporate industry developments.



--Mdpeters 15:11, 7 July 2006 (EDT)