Global

PCI DSS: Information Security Policies

Information Security Policies [Req 12]

Rule: Maintain a policy that addresses information security for all personnel. Support information security with organizational policies and programs.

Requirement 12: Information Security Policy

12.1 — Policy Established and Maintained

ControlRequirement
Written policyComprehensive information security policy
Annual reviewReview and update at least annually
Management approvalApproved by management
CommunicatedDisseminated to all relevant personnel

12.2 — Acceptable Use Policies

PolicyCovers
Technology usageAcceptable use of all technologies
Remote accessRequirements for remote access
WirelessWireless technology usage
Removable mediaLaptops, tablets, electronic media
Email/InternetAcceptable use of communications

12.3 — Risk Assessment

ControlRequirement
Annual assessmentAt least once per year
After significant changesWhen environment changes
Identify threatsThreats and vulnerabilities
Formal processDocumented methodology

Risk Assessment Must:

  • Identify critical assets
  • Identify threats to CDE
  • Identify vulnerabilities
  • Perform formal risk analysis
  • Document results

12.4 — Executive Responsibility (Service Providers)

For service providers only:

ControlRequirement
Executive assignmentExecutive responsible for PCI DSS
CharterPCI DSS compliance program charter
CommunicationReport to executive management
Quarterly reviewStatus reviews with management

12.5 — Scope Validation

ControlRequirement
Document scopeCDE and connected systems
Annual validationValidate scope at least annually
After changesRevalidate after significant changes
MethodologyDocument scoping methodology

Scope Validation Includes:

  • All data flows
  • All system components
  • All connections to/from CDE
  • All third-party connections
  • All segmentation controls

12.6 — Security Awareness Training

12.6.1 — Training Program

ControlRequirement
Upon hireTraining for new personnel
Annual refreshAt least annual training
Multiple methodsVarious delivery methods acceptable
AcknowledgmentPersonnel acknowledge training

12.6.2 — Training Content

Training must cover:

  • Importance of cardholder data security
  • Personnel security responsibilities
  • Acceptable use policies
  • Phishing and social engineering
  • How to report suspicious activity

12.6.3 — Phishing-Specific Training

ControlRequirement
Phishing awarenessHow to identify phishing
Reporting procedureHow to report attempts
Simulated attacksOptional but recommended

12.7 — Personnel Screening

ControlRequirement
Background checksPrior to hire for CDE access
ScopeWithin legal constraints
ExamplesCriminal history, credit, references

Note: Screening requirements vary by jurisdiction and role.

12.8 — Third-Party Service Providers

12.8.1 — Provider List

ControlRequirement
InventoryList of all service providers
Services documentedWhat services they provide
Annual reviewReview list at least annually

12.8.2 — Agreements

ControlRequirement
Written agreementDocumenting responsibilities
AcknowledgmentProvider acknowledges responsibility
PCI DSS requirementsAgree to applicable requirements

12.8.3 — Due Diligence

ControlRequirement
Before engagementDue diligence before use
Compliance statusVerify provider’s PCI DSS status
Annual reviewMonitor compliance status

12.8.4 — Monitor Compliance

ControlRequirement
Annual statusObtain compliance status annually
AOC reviewReview Attestation of Compliance
Track changesMonitor changes in compliance

12.8.5 — Responsibility Matrix

ControlRequirement
RACI matrixWho is responsible for what
Clear delineationNo gaps in responsibility
DocumentedWritten and agreed upon

12.9 — Service Provider Acknowledgment

For service providers:

ControlRequirement
Written acknowledgmentProvide to customers
State responsibilityFor security of CHD
PCI DSS requirementsApplicable requirements acknowledged

12.10 — Incident Response

12.10.1 — Incident Response Plan

ElementRequirement
Written planDocumented procedures
Roles and responsibilitiesWho does what
CommunicationInternal and external procedures
24/7 coverageAbility to respond any time

Incident Response Plan Must Include:

  • Roles and contact information
  • Incident definition and classification
  • Response procedures by incident type
  • Containment strategies
  • Business recovery procedures
  • Data backup processes
  • Legal/regulatory notification requirements
  • Card brand notification procedures
  • Lessons learned process

12.10.2 — Annual Review

ControlRequirement
Annual reviewReview plan at least annually
UpdatesUpdate as needed
Post-incidentUpdate after incidents

12.10.3 — Designated Personnel

ControlRequirement
Response teamDesignated personnel for response
24/7 availabilityAvailable around the clock
CoverageFor all critical systems

12.10.4 — Training

ControlRequirement
Trained staffResponse personnel trained
Annual trainingAt least annually
New staffTrained upon assignment

12.10.5 — Alerts from Security Systems

ControlRequirement
IDS/IPS alertsResponse procedures defined
File integrityMonitoring alerts addressed
Change detectionPayment page change alerts
Network trafficAnomaly alerts investigated

12.10.6 — Testing and Evolution

ControlRequirement
Annual testingTest response plan at least annually
Tabletop exercisesSimulated incident scenarios
Lessons learnedUpdate plan based on tests
After incidentsUpdate based on real incidents

Policy Documentation Summary

Policy AreaReview FrequencyRequired For
Information security policyAnnualAll entities
Acceptable use policiesAnnualAll entities
Risk assessmentAnnual + changesAll entities
Scope documentationAnnual + changesAll entities
Service provider agreementsAnnualAll entities
Incident response planAnnual + post-incidentAll entities
Security awareness trainingAnnualAll personnel

Citation

PCI DSS v4.0.1 Requirement 12

Contains public sector information licensed under the Open Government Licence v3.0 where applicable. This is not legal advice. Always refer to official sources for authoritative text.

llms.txt