PCI DSS Requirement 12: Maintain an Information Security Policy
As outlined in sub-requirements of the other 11 requirements, documenting expectations of the security posture of an organization is fundamental to the success of the organization.
Creating a strong information security policy sets the tone, and portrays the critical nature of protecting cardholder data across the organization.
PCI DSS Requirement 12 details how to support information security with organization policies and programs.
For additional details on all 12 of the Requirements, read our PCI DSS Requirements overview.
Requirement 12 Details and Sections
Requirement 12 contains ten sections that detail the procedures for creating and maintaining a thorough information security policy.
Detailed requirement sections include:
- Requirement 12.1: A comprehensive information security policy that governs and provides direction for protection of the entity’s information assets is known and current.
- Requirement 12.2: Acceptable use policies for end-user technologies are defined and implemented.
- Requirement 12.3: Cardholder data environment risks are formally identified, evaluated, and managed.
- Requirement 12.4: PCI DSS compliance is managed.
- Requirement 12.5: PCI DSS scope is documented and validated.
- Requirement 12.6: Security awareness education is an ongoing activity.
- Requirement 12.7: Personnel are screened to reduce risks from insider threats.
- Requirement 12.8: Risk to information assets associated with third-party service provider (TPSP) relationships is managed.
- Requirement 12.9: TPSPs support their customers’ PCI DSS compliance.
- Requirement 12.10: Suspected and confirmed security incidents that could impact the CDE are responded to immediately.
Requirement 12.1: A comprehensive information security policy that governs and provides direction for protection of the entity’s information assets is known and current.
An information security policy communicates management’s intent and objectives regarding the protection of its most valuable assets, including cardholder data.
Detailed requirement sections include:
- Requirement 12.1.1: An overall information security policy is established, published, maintained, and disseminated to all relevant individuals and relevant vendors and business partners.
- Requirement 12.1.2: The information security policy is reviewed at least once every 12 months and updated as needed to reflect changes to business objectives or risks to the environment.
- Requirement 12.1.3: The security policy clearly defines information security roles and responsibilities for all personnel, and all personnel are aware of and acknowledge their information security responsibilities.
- Requirement 12.1.4: Responsibility for information security is formally assigned to a Chief Information Security Officer or other knowledgeable member of executive management.
Requirement 12.2: Acceptable use policies for end-user technologies are defined and implemented.
End-user technologies are a significant investment and may pose significant risk to an organization if not managed properly. Acceptable use policies outline the expected behavior from personnel when using the organization’s technology and reflect the organization’s risk tolerance.
Detailed requirement sections include:
- Requirement 12.2.1: Acceptable use policies for end-user technologies are documented and implemented, including:
- Explicit approval by authorized parties.
- Acceptable uses of the technology.
- List of products approved for employee use, including hardware and software.
Requirement 12.3: Cardholder data environment risks are formally identified, evaluated, and managed.
Some PCI DSS requirements allow an organization to define how frequently an activity is performed based on the potential risk to the environment. Performing this risk analysis according to a methodology ensures validity and consistency with policies.
Detailed requirement sections include:
- Requirement 12.3.1: Each PCI DSS requirement that provides flexibility for how frequently it is performed is supported by a targeted risk analysis documented to include:
- Identification of the protected assets.
- Identification of the threats the requirement is protecting against.
- Identification of factors that contribute to the likelihood or impact of a threat being realized.
- Resulting analysis that determines, and includes justification for, how frequently the requirement must be performed to minimize the likelihood of the threat being realized.
- Review of each targeted risk analysis at least once every 12 months to determine whether the results are still valid or if an updated risk analysis is needed.
- Performance of updated risk analyses when needed, as determined by the annual review.
- Requirement 12.3.2: A targeted risk analysis is performed for each PCI DSS requirement that the entity meets with the customized approach, to include:
- Documented evidence detailing each element specified in Appendix D: Customized Approach (including, at a minimum, a controls matrix and risk analysis).
- Approval of documented evidence by senior management.
- Performance of the targeted analysis of risk at least once every 12 months.
- Requirement 12.3.3: Cryptographic cipher suites and protocols in use are documented and reviewed at least once every 12 months, including at least the following:
- An up-to-date inventory of all cryptographic cipher suites and protocols in use, including purpose and where used.
- Active monitoring of industry trends regarding continued viability of all cryptographic cipher suites and protocols in use.
- A documented strategy to respond to anticipated changes in cryptographic vulnerabilities.
- Requirement 12.3.4: Hardware and software technologies in use are reviewed at least once every 12 months, including at least the following:
- Analysis that the technologies continue to receive security fixes from vendors promptly.
- Analysis that the technologies continue to support (and do not preclude) the entity’s PCI DSS compliance.
- Documentation of any industry announcements or trends related to a technology, such as when a vendor has announced “end of life” plans for a technology.
- Documentation of a plan, approved by senior management, to remediate outdated technologies, including those for which vendors have announced “end of life” plans.
Requirement 12.4: PCI DSS compliance is managed.
PCI DSS compliance responsibilities should be assigned to a member of executive management to ensure visibility into the PCI DSS compliance program.
Detailed requirement sections include:
- Requirement 12.4.1 Additional requirement for service providers only: Responsibility is established by executive management for the protection of cardholder data and a PCI DSS compliance program to include:
- Overall accountability for maintaining PCI DSS compliance.
- Defining a charter for a PCI DSS compliance program and communication to executive management.
- Requirement 12.4.2 Additional requirement for service providers only: Reviews are performed at least once every three months by others not assigned to a task to confirm that personnel are performing their tasks in accordance with all security policies and operational procedures. These include:
- Daily log reviews.
- Configuration reviews for network security controls.
- Applying configuration standards to new systems.
- Responding to security alerts.
- Change-management processes.
- Requirement 12.4.2.1 Additional requirement for service providers only: These reviews are documented to include:
- Results of the reviews.
- Documented remediation actions taken for any tasks that were found to not be performed at Requirement 12.4.2.
- Review and sign-off of results by personnel assigned responsibility for the PCI DSS compliance program.
- Requirement 12.4.2.1 Additional requirement for service providers only: These reviews are documented to include:
Requirement 12.5: PCI DSS scope is documented and validated.
Organizations should maintain a current list of all system components in order to best define the scope of the environment and implement PCI DSS requirements accurately. This inventory will ensure all system components are included and not inadvertently excluded from the company’s configuration standards.
Detailed requirement sections include:
- Requirement 12.5.1: An inventory of system components that are in scope for PCI DSS, including a description of function/use, is maintained and kept current.
- Requirement 12.5.2: PCI DSS scope is documented and confirmed at least once every 12 months and upon significant change to the in-scope environment. At a minimum, the scoping validation includes:
- Identifying all data flows for the various payment stages and acceptance channels.
- Updating all data-flow diagrams per Requirement 1.2.4.
- Identifying all locations where account data is stored, processed, and transmitted, including but not limited to: 1) any locations outside of the currently defined CDE, 2) applications that process CHD, 3) transmissions between systems and networks, and 4) file backups.
- Identifying all system components in the CDE, connected to the CDE, or that could impact security of the CDE.
- Identifying all segmentation controls in use and the environment(s) from which the CDE is segmented, including justification for environments being out of scope.
- Identifying all connections from third-party entities with access to the CDE.
- Confirming that all identified data flows, account data, system components, segmentation controls, and connections from third parties with access to the CDE are included in scope.
- Requirement 12.5.2.1 Additional requirement for service providers only: PCI DSS scope is documented and confirmed at least once every six months and upon significant change to the in-scope environment. At a minimum, the scoping validation includes all the elements specified in Requirement 12.5.2.
- Requirement 12.5.3 Additional requirement for service providers only: Significant changes to organizational structure result in a documented (internal) review of the impact to PCI DSS scope and applicability of controls, with results communicated to executive management.
Requirement 12.6: Security awareness education is an ongoing activity.
If personnel are not educated about their company’s information security policies as well as their own security responsibilities, implemented safeguards and processes may become ineffective through unintentional or intentional actions.
Detailed requirement sections include:
- Requirement 12.6.1: A formal security awareness program is implemented to make all personnel aware of the entity’s information security policy and procedures, and their role in protecting the cardholder data.
- Requirement 12.6.2: The security awareness program is reviewed at least once every 12 months, and updated as needed to address any new threats and vulnerabilities that may impact either the security of the entity’s CDE or the information provided to personnel about their role in protecting cardholder data.
- Requirement 12.6.3: Personnel receive security awareness training as follows:
- Upon hire and at least once every 12 months.
- Multiple methods of communication are used.
- Personnel acknowledge at least once every 12 months that they have read and understood the information security policy and procedures.
- Requirement 12.6.3.1: Security awareness training includes awareness of threats and vulnerabilities that could impact the security of the CDE, including phishing and related attacks, social engineering, and more.
- Requirement 12.6.3.2: Security awareness training includes awareness about the acceptable use of end-user technologies in accordance with Requirement 12.2.1.
Requirement 12.7: Personnel are screened to reduce risks from insider threats.
Anyone with potential access to the CDE should have thorough screening prior to hire. This ensures not only safety of cardholder data but also overall workplace safety.
Detailed requirement sections include:
- Requirement 12.7.1: Potential personnel who will have access to the CDE are screened within the constraints of local laws, prior to hire to minimize the risk of attacks from internal sources.
Requirement 12.8: Risk to information assets associated with third-party service provider (TPSP) relationships is managed.
Maintaining a list of all in-use TPSPs identifies where any potential risk extends outside the organization. This also further defines the organization’s extended attack surface.
Detailed requirement sections include:
- Requirement 12.8.1: A list of all TPSPs with which account data is shared or that could affect the security of account data is maintained, including a description for each of the services provided.
- Requirement 12.8.2: Written agreements with TPSPs are maintained as follows:
- Agreements are maintained with all TPSPs with which account data is shared or that could affect the security of the CDE.
- Agreements include acknowledgments from TPSPs that they are responsible for the security of account data the TPSPs possess or otherwise store, process, or transmit on behalf of the organization, or to the extent that they could impact the security of the CDE.
- Requirement 12.8.3: An established process is implemented for engaging TPSPs, including proper due diligence prior to engagement.
- Requirement 12.8.4: A program is implemented to monitor TPSPs’ PCI DSS compliance status at least once every 12 months.
- Requirement 12.8.5: Information is maintained about which PCI DSS requirements are managed by each TPSP, which are managed by the entity, and any that are shared between the TPSP and the entity.
Requirement 12.9: TPSPs support their customers’ PCI DSS compliance.
Partnering only with third parties that are careful to achieve and maintain PCI DSS compliance will help protect the security of an organization’s cardholder data.
Detailed requirement sections include:
- Requirement 12.9.1 Additional requirement for service providers only: TPSPs acknowledge in writing to customers that they are responsible for the security of account data the TPSP possesses or otherwise processes on behalf of the customer, or to the extent that they could impact the security of the customer’s CDE.
- Requirement 12.9.2 Additional requirement for service providers only: TPSPs support their customers’ requests for information to meet Requirements 12.8.4 and 12.8.5 by providing the following upon customer request:
- PCI DSS compliance status information for any service the TPSP performs on behalf of customers.
- Information about which PCI DSS requirements are the responsibility of the TPSP and which are the responsibility of the customer, including any shared responsibilities.
Requirement 12.10: Suspected and confirmed security incidents that could impact the CDE are responded to immediately.
Without a comprehensive and properly understood incident response plan in place for the parties responsible, confusion could create further downtime for the business as well as financial or reputational loss.
Detailed requirement sections include:
- Requirement 12.10.1: An incident response plan exists and is ready to be activated in the event of a suspected or confirmed security incident, including:
- Roles, responsibilities, and communication and contact strategies in the event of a suspected or confirmed security incident, including notification of payment brands and acquirers, at a minimum.
- Incident response procedures with specific containment and mitigation activities for different types of incidents.
- Business recovery and continuity procedures.
- Data backup processes.
- Analysis of legal requirements for reporting compromises.
- Coverage and responses of all critical system components.
- Reference or inclusion of incident response procedures from the payment brands.
- Requirement 12.10.2: At least once every 12 months, the security incident response plan is reviewed, and content is updated as needed, and tested.
- Requirement 12.10.3: Specific personnel are designated to be available on a 24/7 basis to respond to suspected or confirmed security incidents.
- Requirement 12.10.4: Personnel responsible for responding to security incidents are appropriately and periodically trained on their incident response responsibilities.
- Requirement 12.10.4.1: The frequency of periodic training for incident response personnel is defined in the organization’s targeted risk analysis, which is performed according to all elements specified in Requirement 12.3.1.
- Requirement 12.10.5: The security incident response plan includes monitoring and responding to alerts from security monitoring systems, including:
- Intrusion-detection and intrusion-prevention systems.
- Network security controls.
- Change-detection mechanisms for critical files.
- The change- and tamper-detection mechanism for payment pages.
- Detection of unauthorized wireless access points.
- Requirement 12.10.6: The security incident response plan is modified and evolved according to lessons learned and to incorporate industry developments.
- Requirement 12.10.7: Incident response procedures are in place, to be initiated upon the detection of stored PAN anywhere it is not expected, and include:
- Determining what to do if PAN is discovered outside the CDE, including its retrieval, secure deletion, and/or migration into the currently defined CDE, as applicable.
- Identifying whether sensitive authentication data is stored with PAN.
- Determining where the account data came from and how it ended up where it was not expected.
- Remediating data leaks or process gaps that resulted in the account data being where it was not expected.
How Basis Theory can help you Satisfy PCI DSS Requirement 12
Securing cardholder data in a CDE satisfies many PCI DSS requirements and provides companies greater control and flexibility over their payment stack. However, building and maintaining the necessary infrastructure and programs can require hundreds of thousands of dollars and months to implement and assess. Basis Theory provides the platform, infrastructure, and tools to secure cardholder data in minutes and without these costs and distractions.
As a PCI Level 1 compliant service provider, Basis Theory extends an independently assessed and approved CDE to customers. Combined with a suite of configurable tools, services, and tokens, companies can collect, secure, and share credit cards without bringing their systems into scope. This approach allows companies to avoid the costs and distractions associated with 95% of the requirements in the Payment Card Industry Data Security Standard (PCI DSS) while retaining complete control over their cardholder data.