Solutions The best route to security compliance
Platform A powerful suite of ISMS features
Resources Everything you need to know
Knowledge Base Learn more about infosec
Company Security and customers first

What is PCI-DSS Requirement 12?

PCI DSS requirement 12 requests that businesses maintain a policy that addresses information security for all relevant personnel. This policy should address the proper use of all systems and networks, as well as information security incident response procedures.

By creating a strong information security policy, your business can emphasise the critical nature of protecting cardholder data – minimising the risk of any vulnerabilities occurring internally.

PCI-DSS Requirement 12.1: A comprehensive information security policy on information protection should be implemented and maintained.

Your business should implement an information security policy that communicates higher management’s intent and objectives regarding the protection of security systems, particularly cardholder data.

The sub-sub-requirements of this section include:

  • PCI-DSS Requirement 12.1.1: An information security policy is established, published, maintained, and circulated to all necessary personnel, relevant vendors and business partners.
  • PCI-DSS Requirement 12.1.2: The information security policy must be reviewed at a minimum, annually, and updated where necessary.
  • PCI-DSS Requirement 12.1.3: The policy must define roles and responsibilities for all personnel, and all personnel are aware of and understand their duties.
  • PCI-DSS Requirement 12.1.4: The responsibility for information security is formally assigned to a Chief Information Security Officer (CISO) or another relevant member of upper management.

PCI-DSS Requirement 12.2: Acceptable use policies for end-user technologies need to be defined and put in place.

Businesses should look to invest in end-user technologies, although these must be managed properly to avoid further risks. An acceptable use policy should outline the expected behaviour from relevant personnel when using this technology, reflecting the organisation’s risk tolerance.

PCI-DSS Requirement 12.3: CDE risks must be formally identified, evaluated, and managed.

Some of the PCI-DSS requirements will allow an organisation to decide how often an activity is performed based on the potential risks. Performing a risk assessment according to a solid methodology allows you to remain valid in compliance.

The sub-sub-requirements of this section include:

  • PCI-DSS Requirement 12.3.1: Each PCI-DSS requirement that provides flexibility for how frequently it is performed should be supported by a targeted risk assessment.
  • PCI-DSS Requirement 12.3.2: A targeted risk assessment is performed for each PCI-DSS requirement the entity meets with a customised approach.
  • PCI-DSS Requirement 12.3.3: Cryptographic cipher suites and protocols must be reviewed at least annually.
  • PCI-DSS Requirement 12.3.4: Hardware and software technologies must be reviewed at least annually.

PCI-DSS Requirement 12.4: Ensure PCI-DSS compliance is managed.

PCI DSS compliance responsibilities must be assigned to a member of higher management to ensure visibility into the process.

PCI-DSS Requirement 12.5: The PCI-DSS scope must be documented and validated.

Your organisation must maintain an up-to-date list of all system components to best define the scope of the environment and implement the requirements accurately. The inventory must not exclude any system components to remain compliant.

The sub-sub-requirements of this section include:

  • PCI-DSS Requirement 12.5.1: An inventory of all system components that are in scope for PCI-DSS, including in-depth descriptions of use, must be updated and maintained.
  • PCI-DSS Requirement 12.5.2: The PCI-DSS scope is documented and confirmed at least annually and after any significant changes.

PCI-DSS Requirement 12.6: Staff training on security awareness must be ongoing.

Your staff must receive training, or re-training, if necessary, on their security responsibilities and implemented safeguards and processes to minimise the risk of a breach.

The sub-sub-requirements of this section include:

  • PCI-DSS Requirement 12.6.1: A formal security awareness program must be implemented, and all personnel must be aware of the information security policy and procedures.
  • PCI-DSS Requirement 12.6.2: The security awareness program must be reviewed annually and updated where necessary to address any new threats and vulnerabilities.
  • PCI-DSS Requirement 12.6.3: All personnel must receive security awareness training.

PCI-DSS Requirement 12.7: Personnel must be screened to reduce the risk of an insider threat.

New staff members who may need to access the CDE should be thoroughly screened within the constraints of local laws before they are hired to ensure both cardholder and workplace safety.

Requirement 12.8: Third-party service provider (TPSP) relationships should have risks managed.

Creating and maintaining a list of all in-use third-party service providers (TPSPs) will help your business to identify any potential risks outside the organisation. This will also further define your extended attack surface.

The sub-sub-requirements of this section include:

  • PCI-DSS Requirement 12.8.1: A list of all in-use TPSPs with which account data is shared or that could affect the security of account data is created and maintained.
  • PCI-DSS Requirement 12.8.2: Written agreements with TPSPs are created and maintained.
  • PCI-DSS Requirement 12.8.3: An established process is implemented for engaging TPSPs. This must include proper due diligence prior to engagement.
  • PCI-DSS Requirement 12.8.4: A program is implemented to review in-use TPSPs’ PCI-DSS compliance status at least annually.
  • PCI-DSS Requirement 12.8.5: Which PCI DSS requirements are managed by each TPSP must be documented, including which are managed by the business, and any that are shared between the TPSP and the business.

PCI-DSS Requirement 12.9: TPSPs must support their customers’ PCI-DSS compliance.

Your business should seek to only work with third parties that are careful to achieve and maintain PCI DSS compliance, as this will protect the security of your customers’ cardholder data.

PCI-DSS Requirement 12.10: Any security incidents that could impact the CDE must be understood and addressed immediately.

It's important to put an incident response plan in place for the appropriate personnel, to avoid a missed attack, which could result in financial or reputational loss for your business.

The sub-sub-requirements of this section include:

  • PCI-DSS Requirement 12.10.1: An incident response plan has been implemented and can be readily activated in the event of potential security incident.
  • PCI-DSS Requirement 12.10.2: At least once a year, the security incident response plan needs to be reviewed, updated, and tested.
  • PCI-DSS Requirement 12.10.3: Specific personnel are designated to be on-call 24/7 to respond to potential security incidents.
  • PCI-DSS Requirement 12.10.4: Those responsible for responding to security incidents are appropriately trained.
  • PCI-DSS Requirement 12.10.5: The security incident response plan must include monitoring and responding to alerts from the monitoring systems.
  • PCI-DSS Requirement 12.10.6: The security incident response plan is updated according to industry developments and internal lessons learned.
  • PCI-DSS Requirement 12.10.7: Incident response procedures are in place in case of the detection of unexpected PAN in storage.

Compliance as you work with Hicomply

PCI-DSS compliance protects your business from severe financial and reputational loss – however, it can seem quite intimidating due to the long, thorough process. This is why we at Hicomply offer a full-fledged ISMS solution that keeps all your documents in one place – allowing you to focus on your business. Get in touch today to receive a demo.