Home / Frameworks / PCI DSS / 12 — Support information security with organizational policies and programs
12 — Support information security with organizational policies and programs
32 requirements in the Support information security with organizational policies and programs requirement
12.1.1An overall information security policy is: Established.
12.1.2The information security policy is: Reviewed at least once every 12 months.
12.1.3The security policy clearly defines information security roles and responsibilities for all personnel, and all personnel are aware and acknowledge their information security responsibilities.
12.1.4Responsibility for information security is formally assigned to a Chief Information Security Officer or other information security knowledgeable member of executive management.
12.2.1Acceptable use policies for end-user technologies are documented and implemented, including: Explicit approval by authorized parties.
12.3.1For each PCI DSS requirement that specifies completion of a targeted risk analysis, the analysis is documented and includes: Identification of the assets being protected.
12.3.2A targeted risk analysis is performed for each PCI DSS requirement that the entity meets with the customized approach, to include: Documented evidence detailing each element specified in Appendix B: Guidance and Instructions for Using Customized Approach (including, at a minimum, a controls matrix and risk analysis).
12.3.3Cryptographic cipher suites and protocols in use are documented and reviewed at least once every 12 months, including at least the following: An up-to-date inventory of all cryptographic cipher suites and protocols in use, including purpose and where used.
12.3.4Hardware and software technologies in use are reviewed at least once every 12 months, including at least the following: Analysis that the technologies continue to receive security fixes from vendors promptly.
12.4.1Additional requirement for service providers only: Responsibility is established by executive management for the protection of cardholder data and a PCI DSS compliance program to include: Overall accountability for maintaining PCI DSS compliance.
12.4.2Additional requirement for service providers only: Reviews are performed at least once every three months to confirm personnel are performing their tasks in accordance with all security policies and all operational procedures.
12.5.1An inventory of system components that are in scope for PCI DSS, including a description of function/use, is maintained and kept current.
12.5.2PCI DSS scope is documented and confirmed by the entity at least once every 12 months and upon significant change to the in-scope environment.
12.5.3Additional requirement for service providers only: Significant changes to organizational structure result in a documented (internal) review of the impact to PCI DSS scope and applicability of controls, with results communicated to executive management.
12.6.1A formal security awareness program is implemented to make all personnel aware of the entity’s information security policy and procedures and their role in protecting the cardholder data.
12.6.2The security awareness program is: Reviewed at least once every 12 months, and Updated as needed to address any new threats and vulnerabilities that may impact the security of the entity’s cardholder data and/or sensitive authentication data, or the information provided to personnel about their role in protecting cardholder data.
12.6.3Personnel receive security awareness training as follows: Upon hire and at least once every 12 months.
12.7.1Potential personnel who will have access to the CDE are screened, within the constraints of local laws, prior to hire to minimize the risk of attacks from internal sources.
12.8.1A list of all third-party service providers (TPSPs) with which account data is shared or that could affect the security of account data is maintained, including a description for each of the services provided.
12.8.2Written agreements with TPSPs are maintained as follows: Written agreements are maintained with all TPSPs with which account data is shared or that could affect the security of the CDE.
12.8.3An established process is implemented for engaging TPSPs, including proper due diligence prior to engagement.
12.8.4A program is implemented to monitor TPSPs’ PCI DSS compliance status at least once every 12 months.
12.8.5Information is maintained about which PCI DSS requirements are managed by each TPSP, which are managed by the entity, and any that are shared between the TPSP and the entity.
12.9.1Additional requirement for service providers only: TPSPs provide written agreements to customers that include acknowledgments that TPSPs are responsible for the security of account data the TPSP possesses or otherwise stores, processes, or transmits on behalf of the customer, or to the extent that the TPSP could impact the security of the customer’s cardholder data and/or sensitive authentication data.
12.9.2Additional requirement for service providers only: TPSPs support their customers’ requests for information to meet Requirements 12.
12.10.1An incident response plan exists and is ready to be activated in the event of a suspected or confirmed security incident.
12.10.2At least once every 12 months, the security incident response plan is: Reviewed and the content is updated as needed.
12.10.3Specific personnel are designated to be available on a 24/7 basis to respond to suspected or confirmed security incidents.
12.10.4Personnel responsible for responding to suspected and confirmed security incidents are appropriately and periodically trained on their incident response responsibilities.
12.10.5The security incident response plan includes monitoring and responding to alerts from security monitoring systems, including but not limited to: Intrusion-detection and intrusion-prevention systems.
12.10.6The security incident response plan is modified and evolved according to lessons learned and to incorporate industry developments.
12.10.7Incident response procedures are in place, to be initiated upon the detection of stored PAN anywhere it is not expected, and include: Determining what to do if PAN is discovered outside the CDE, including its retrieval, secure deletion, and/or migration into the currently defined CDE, as applicable.