| ๐ผ 12.1 Establish, publish, maintain, and disseminate a security policy. | 1 | | | |
| ย ย ย ย ๐ผ 12.1.1 Review the security policy at least annually and update the policy when the environment changes. | | | | |
| ๐ผ 12.2 Implement a risk-assessment process. | | | | |
| ๐ผ 12.3 Develop usage policies for critical technologies and define proper use of these technologies. | 10 | | | |
| ย ย ย ย ๐ผ 12.3.1 Explicit approval by authorized parties. | | | | |
| ย ย ย ย ๐ผ 12.3.2 Authentication for use of the technology. | | | | |
| ย ย ย ย ๐ผ 12.3.3 A list of all such devices and personnel with access. | | | | |
| ย ย ย ย ๐ผ 12.3.4 A method to accurately and readily determine owner, contact information, and purpose. | | | | |
| ย ย ย ย ๐ผ 12.3.5 Acceptable uses of the technology. | | | | |
| ย ย ย ย ๐ผ 12.3.6 Acceptable network locations for the technologies. | | | | |
| ย ย ย ย ๐ผ 12.3.7 List of company-approved products. | | | | |
| ย ย ย ย ๐ผ 12.3.8 Automatic disconnect of sessions for remote-access technologies after a specific period of inactivity. | | | | |
| ย ย ย ย ๐ผ 12.3.9 Activation of remote-access technologies for vendors and business partners only when needed by vendors and business partners, with immediate deactivation after use. | | | | |
| ย ย ย ย ๐ผ 12.3.10 For personnel accessing cardholder data via remote-access technologies, prohibit the copying, moving, and storage of cardholder data onto local hard drives and removable electronic media, unless explicitly authorized for a defined business need. | | | | |
| ๐ผ 12.4 Ensure that the security policy and procedures clearly define information security responsibilities for all personnel. | 1 | | | |
| ย ย ย ย ๐ผ 12.4.1 Executive management shall establish responsibility for the protection of cardholder data and a PCI DSS compliance program. | | | | |
| ๐ผ 12.5 Assign to an individual or team information security management responsibilities. | 5 | | | |
| ย ย ย ย ๐ผ 12.5.1 Establish, document, and distribute security policies and procedures. | | | | |
| ย ย ย ย ๐ผ 12.5.2 Monitor and analyze security alerts and information, and distribute to appropriate personnel. | | | | |
| ย ย ย ย ๐ผ 12.5.3 Establish, document, and distribute security incident response and escalation procedures to ensure timely and effective handling of all situations. | | | | |
| ย ย ย ย ๐ผ 12.5.4 Administer user accounts, including additions, deletions, and modifications. | | | | |
| ย ย ย ย ๐ผ 12.5.5 Monitor and control all access to data. | | | | |
| ๐ผ 12.6 Implement a formal security awareness program to make all personnel aware of the cardholder data security policy and procedures. | 2 | | | |
| ย ย ย ย ๐ผ 12.6.1 Educate personnel upon hire and at least annually. | | | | |
| ย ย ย ย ๐ผ 12.6.2 Require personnel to acknowledge at least annually that they have read and understood the security policy and procedures. | | | | |
| ๐ผ 12.7 Screen potential personnel prior to hire to minimize the risk of attacks from internal sources. | | | | |
| ๐ผ 12.8 Maintain and implement policies and procedures to manage service providers with whom cardholder data is shared, or that could affect the security of cardholder data. | 5 | | | |
| ย ย ย ย ๐ผ 12.8.1 Maintain a list of service providers including a description of the service provided. | | | | |
| ย ย ย ย ๐ผ 12.8.2 Maintain a written agreement that includes an acknowledgement that the service providers are responsible for the security of cardholder data the service providers possess or otherwise store, process or transmit on behalf of the customer, or to the extent that they could impact the security of the customer's cardholder data environment. | | | | |
| ย ย ย ย ๐ผ 12.8.3 Ensure there is an established process for engaging service providers including proper due diligence prior to engagement. | | | | |
| ย ย ย ย ๐ผ 12.8.4 Maintain a program to monitor service providers' PCI DSS compliance status at least annually. | | | | |
| ย ย ย ย ๐ผ 12.8.5 Maintain information about which PCI DSS requirements are managed by each service provider, and which are managed by the entity. | | | | |
| ๐ผ 12.9 Service providers acknowledge in writing to customers that they are responsible for the security of cardholder data the service provider possesses or otherwise stores, processes, or transmits on behalf of the customer, or to the extent that they could impact the security of the customer's cardholder data environment. | | | | |
| ๐ผ 12.10 Implement an incident response plan. | 6 | | | |
| ย ย ย ย ๐ผ 12.10.1 Create the incident response plan to be implemented in the event of system breach. | | | | |
| ย ย ย ย ๐ผ 12.10.2 Review and test the plan at least annually. | | | | |
| ย ย ย ย ๐ผ 12.10.3 Designate specific personnel to be available on a 24/7 basis to respond to alerts. | | | | |
| ย ย ย ย ๐ผ 12.10.4 Provide appropriate training to staff with security breach response responsibilities. | | | | |
| ย ย ย ย ๐ผ 12.10.5 Include alerts from security monitoring systems, including but not limited to intrusion-detection, intrusion-prevention, firewalls, and file-integrity monitoring systems. | | | | |
| ย ย ย ย ๐ผ 12.10.6 Develop a process to modify and evolve the incident response plan according to lessons learned and to incorporate industry developments. | | | | |
| ๐ผ 12.11 Perform reviews at least quarterly to confirm personnel are following security policies and operational procedures. | 1 | | | |
| ย ย ย ย ๐ผ 12.11.1 Maintain documentation of quarterly review process. | | | | |