| ๐ผ 12.1 A comprehensive information security policy that governs and provides direction for protection of the entity's information assets is known and current. | 4 | | | |
| ย ย ย ย ๐ผ 12.1.1 An overall information security policy is established, published, maintained, and disseminated to all relevant personnel, as well as to relevant vendors and business partners. | | | | |
| ย ย ย ย ๐ผ 12.1.2 The information security policy is reviewed at least once every 12 months, and updated as needed to reflect changes to business objectives or risks to the environment. | | | | |
| ย ย ย ย ๐ผ 12.1.3 The security policy clearly defines information security roles and responsibilities for all personnel, and all personnel are aware of and acknowledge their information security responsibilities. | | | | |
| ย ย ย ย ๐ผ 12.1.4 Responsibility for information security is formally assigned to a Chief Information Security Officer or other information security knowledgeable member of executive management. | | | | |
| ๐ผ 12.2 Acceptable use policies for end-user technologies are defined and implemented. | 1 | | | |
| ย ย ย ย ๐ผ 12.2.1 Acceptable use policies for end-user technologies are documented and implemented. | | | | |
| ๐ผ 12.3 Risks to the cardholder data environment are formally identified, evaluated, and managed. | 4 | | | |
| ย ย ย ย ๐ผ 12.3.1 For each PCI DSS requirement that specifies completion of a targeted risk analysis, the analysis is documented. | | | | |
| ย ย ย ย ๐ผ 12.3.2 A targeted risk analysis is performed for each PCI DSS requirement that the entity meets with the customized approach. | | | | |
| ย ย ย ย ๐ผ 12.3.3 Cryptographic cipher suites and protocols in use are documented and reviewed at least once every 12 months. | | | | |
| ย ย ย ย ๐ผ 12.3.4 Hardware and software technologies in use are reviewed at least once every 12 months. | | | | |
| ๐ผ 12.4 PCI DSS compliance is managed. | 2 | | | |
| ย ย ย ย ๐ผ 12.4.1 Responsibility is established by executive management for the protection of cardholder data and a PCI DSS compliance program. | | | | |
| ย ย ย ย ๐ผ 12.4.2 Reviews are performed at least once every three months to confirm that personnel are performing their tasks in accordance with all security policies and operational procedures | 1 | | | |
| ย ย ย ย ย ย ย ย ๐ผ 12.4.2.1 Reviews conducted in accordance with Requirement 12.4.2 are documented. | | | | |
| ๐ผ 12.5 PCI DSS scope is documented and validated. | 3 | | | |
| ย ย ย ย ๐ผ 12.5.1 An inventory of system components that are in scope for PCI DSS, including a description of function/use, is maintained and kept current. | | | | |
| ย ย ย ย ๐ผ 12.5.2 PCI DSS scope is documented and confirmed by the entity at least once every 12 months and upon significant change to the in-scope environment. | 1 | | | |
| ย ย ย ย ย ย ย ย ๐ผ 12.5.2.1 PCI DSS scope is documented and confirmed by the entity at least once every six months and upon significant change to the in-scope environment. | | | | |
| ย ย ย ย ๐ผ 12.5.3 Significant changes to organizational structure result in a documented (internal) review of the impact to PCI DSS scope and applicability of controls, with results communicated to executive management. | | | | |
| ๐ผ 12.6 Security awareness education is an ongoing activity. | 3 | | | |
| ย ย ย ย ๐ผ 12.6.1 A formal security awareness program is implemented to make all personnel aware of the entity's information security policy and procedures, and their role in protecting the cardholder data. | | | | |
| ย ย ย ย ๐ผ 12.6.2 The security awareness program is reviewed at least once every 12 months, and updated to address any new threats and vulnerabilities. | | | | |
| ย ย ย ย ๐ผ 12.6.3 Personnel receive security awareness training. | 2 | | | |
| ย ย ย ย ย ย ย ย ๐ผ 12.6.3.1 Security awareness training includes awareness of threats and vulnerabilities that could impact the security of the CDE. | | | | |
| ย ย ย ย ย ย ย ย ๐ผ 12.6.3.2 Security awareness training includes awareness about the acceptable use of end-user technologies. | | | | |
| ๐ผ 12.7 Personnel are screened to reduce risks from insider threats. | 1 | | | |
| ย ย ย ย ๐ผ 12.7.1 Potential personnel who will have access to the CDE are screened, within the constraints of local laws, prior to hire to minimize the risk of attacks from internal sources. | | | | |
| ๐ผ 12.8 Risk to information assets associated with third-party service provider (TPSP) relationships is managed. | 5 | | | |
| ย ย ย ย ๐ผ 12.8.1 A list of all third-party service providers (TPSPs) with which account data is shared or that could affect the security of account data is maintained, including a description for each of the services provided. | | | | |
| ย ย ย ย ๐ผ 12.8.2 Written agreements with TPSPs are maintained. | | | | |
| ย ย ย ย ๐ผ 12.8.3 An established process is implemented for engaging TPSPs, including proper due diligence prior to engagement. | | | | |
| ย ย ย ย ๐ผ 12.8.4 A program is implemented to monitor TPSPs' PCI DSS compliance status at least once every 12 months. | | | | |
| ย ย ย ย ๐ผ 12.8.5 Information is maintained about which PCI DSS requirements are managed by each TPSP, which are managed by the entity, and any that are shared between the TPSP and the entity. | | | | |
| ๐ผ 12.9 Third-party service providers (TPSPs) support their customers' PCI DSS compliance. | 2 | | | |
| ย ย ย ย ๐ผ 12.9.1 TPSPs provide written agreements to customers that include acknowledgments that TPSPs are responsible for the security of account data the TPSP possesses or otherwise stores, processes, or transmits on behalf of the customer, or to the extent that the TPSP could impact the security of the customer's cardholder data and/or sensitive authentication data. | | | | |
| ย ย ย ย ๐ผ 12.9.2 TPSPs support their customers' requests for information to meet Requirements 12.8.4 and 12.8.5. | | | | |
| ๐ผ 12.10 Suspected and confirmed security incidents that could impact the CDE are responded to immediately. | 7 | | | |
| ย ย ย ย ๐ผ 12.10.1 An incident response plan exists and is ready to be activated in the event of a suspected or confirmed security incident. | | | | |
| ย ย ย ย ๐ผ 12.10.2 At least once every 12 months, the security incident response plan is reviewed and the content is updated as needed, and tested. | | | | |
| ย ย ย ย ๐ผ 12.10.3 Specific personnel are designated to be available on a 24/7 basis to respond to suspected or confirmed security incidents. | | | | |
| ย ย ย ย ๐ผ 12.10.4 Personnel responsible for responding to suspected and confirmed security incidents are appropriately and periodically trained on their incident response responsibilities. | 1 | | | |
| ย ย ย ย ย ย ย ย ๐ผ 12.10.4.1 The frequency of periodic training for incident response personnel is defined in the entity's targeted risk analysis. | | | | |
| ย ย ย ย ๐ผ 12.10.5 The security incident response plan includes monitoring and responding to alerts from security monitoring systems. | | | | |
| ย ย ย ย ๐ผ 12.10.6 The security incident response plan is modified and evolved according to lessons learned and to incorporate industry developments. | | | | |
| ย ย ย ย ๐ผ 12.10.7 Incident response procedures are in place, to be initiated upon the detection of stored PAN anywhere it is not expected. | | | | |