PCI DSS Requirement 12 of 12

choose sub requirement:

Requirement 12.1

Establish, publish, maintain, and disseminate a security policy.

Testing Procedure

12.1
Examine the information security policy and verify that the policy is published and disseminated to all relevant personnel (including vendors and business partners).

Guidance

A company's information security policy creates the roadmap for implementing security measures to protect its most valuable assets. All personnel should be aware of the sensitivity of data and their responsibilities for protecting it.

12.1

12.1.1

Requirement 12.1.1

Review the security policy at least annually and update the policy when the environment changes.

Testing Procedure

12.1.1
Verify that the information security policy is reviewed at least annually and updated as needed to reflect changes to business objectives or the risk environment.

Guidance

Security threats and protection methods evolve rapidly. Without updating the security policy to reflect relevant changes, new protection measures to fight against these threats are not addressed.

12.2

Requirement 12.2

Implement a risk-assessment process that:

Is performed at least annually and upon significant changes to the environment (for example, acquisition, merger, relocation, etc.),
Identifies critical assets, threats, and vulnerabilities, and
Results in a formal, documented analysis of risk.

Examples of risk-assessment methodologies include but are not limited to OCTAVE, ISO 27005 and NIST SP 800-30.

Testing Procedure

12.2.a
Verify that an annual risk-assessment process is documented that:

Identifies critical assets, threats, and vulnerabilities
Results in a formal, documented analysis of risk

12.2.b
Review risk-assessment documentation to verify that the risk-assessment process is performed at least annually and upon significant changes to the environment.

Guidance

A risk assessment enables an organization to identify threats and associated vulnerabilities with the potential to negatively impact their business. Resources can then be effectively allocated to implement controls that reduce the likelihood and/or the potential impact of the threat being realized.

Performing risk assessments at least annually and upon significant changes allows the organization to keep up to date with organizational changes and evolving threats, trends, and technologies.

Requirement 12.3

Develop usage policies for critical technologies and define proper use of these technologies.

Note: Examples of critical technologies include, but are not limited to, remote access and wireless technologies, laptops, tablets, removable electronic media, e-mail usage and Internet usage.

Ensure these usage policies require the following: (See 12.3.1 through 10.3.10)

Testing Procedure

12.3
Examine the usage policies for critical technologies and interview responsible personnel to verify the following policies are implemented and followed: (See 12.3.1 through 12.3.10)

Guidance

Personnel usage policies can either prohibit use of certain devices and other technologies if that is company policy, or provide guidance for personnel as to correct usage and implementation. If usage policies are not in place, personnel may use the technologies in violation of company policy, thereby allowing malicious individuals to gain access to critical systems and cardholder data.

Requirement 12.3.1

Explicit approval by authorized parties

Testing Procedure

12.3.1
Verify that the usage policies include processes for explicit approval from authorized parties to use the technologies.

Guidance

Without requiring proper approval for implementation of these technologies, individual personnel may innocently implement a solution to a perceived business need, but also open a huge hole that subjects critical systems and data to malicious individuals.

Requirement 12.3.2

Authentication for use of the technology

Testing Procedure

12.3.2
Verify that the usage policies include processes for all technology use to be authenticated with user ID and password or other authentication item (for example, token).

Guidance

If technology is implemented without proper authentication (user IDs and passwords, tokens, VPNs, etc.), malicious individuals may easily use this unprotected technology to access critical systems and cardholder data.

Requirement 12.3.3

A list of all such devices and personnel with access

Testing Procedure

12.3.3
If technology is implemented without proper authentication (user IDs and passwords, tokens, VPNs, etc.), malicious individuals may easily use this unprotected technology to access critical systems and cardholder data.12.3.3 Verify that the usage policies define a list of all devices and personnel authorized to use the devices.

Guidance

Requirement 12.3.4

A method to accurately and readily determine owner, contact information, and purpose (for example, labeling, coding, and/or inventorying of devices)

Testing Procedure

12.3.4
Verify that the usage policies define a method to accurately and readily determine owner, contact information, and purpose (for example, labeling, coding, and/or inventorying of devices).

Guidance

Malicious individuals may breach physical security and place their own devices on the network as a “back door.” Personnel may also bypass procedures and install devices. An accurate inventory with proper device labeling allows for quick identification of non-approved installations. Consider establishing an official naming convention for devices, and log all devices with established inventory controls. Logical labeling may be employed with information such as codes that can correlate the device to its owner, contact information, and purpose.

Requirement 12.3.5

Acceptable uses of the technology

Testing Procedure

12.3.5
Verify that the usage policies define acceptable uses for the technology.

Guidance for 12.3.5 through 12.3.7

By defining acceptable business use and location of company-approved devices and technology, the company is better able to manage and control gaps in configurations and operational controls, to ensure a “back door” is not opened for a malicious individual to gain access to critical systems and cardholder data.

Requirement 12.3.6

Acceptable network locations for the technologies

Testing Procedure

12.3.6
Verify that the usage policies define acceptable network locations for the technology.

Guidance for 12.3.5 through 12.3.7

Requirement 12.3.7

List of company-approved products

Testing Procedure

12.3.7
Verify that the usage policies include a list of company-approved products.

Guidance for 12.3.5 through 12.3.7

Requirement 12.3.8

Automatic disconnect of sessions for remote-access technologies after a specific period of inactivity

Testing Procedure

12.3.8.a
Verify that the usage policies require automatic disconnect of sessions for remote-access technologies after a specific period of inactivity.

12.3.8.b
Examine configurations for remote access technologies to verify that remote access sessions will be automatically disconnected after a specific period of inactivity.

Guidance for 12.3.8 and 12.3.9

Remote-access technologies are frequent "back doors" to critical resources and cardholder data. By disconnecting remote-access technologies when not in use (for example, those used to support your systems by your POS vendor, other vendors, or business partners), access and risk to networks is minimized.

Requirement 12.3.9

Activation of remote-access technologies for vendors and business partners only when needed by vendors and business partners, with immediate deactivation after use

Testing Procedure

12.3.9
Verify that the usage policies require activation of remote-access technologies used by vendors and business partners only when needed by vendors and business partners, with immediate deactivation after use.

Guidance for 12.3.8 and 12.3.9

Requirement 12.3.10

For personnel accessing cardholder data via remote-access technologies, prohibit the copying, moving, and storage of cardholder data onto local hard drives and removable electronic media, unless explicitly authorized for a defined business need.

Where there is an authorized business need, the usage policies must require the data be protected in accordance with all applicable PCI DSS Requirements.

Testing Procedure

12.3.10.a
Verify that the usage policies prohibit copying, moving, or storing of cardholder data onto local hard drives and removable electronic media when accessing such data via remote-access technologies.

12.3.10.b
For personnel with proper authorization, verify that usage policies require the protection of cardholder data in accordance with PCI DSS Requirements.

Guidance

To ensure all personnel are aware of their responsibilities to not store or copy cardholder data onto their local personal computers or other media, your policy should clearly prohibit such activities except for personnel that have been explicitly authorized to do so. Storing or copying cardholder data onto a local hard drive or other media must be in accordance with all applicable PCI DSS requirements.

12.4

Requirement 12.4

Ensure that the security policy and procedures clearly define information security responsibilities for all personnel.

Testing Procedure

12.4.a
Verify that information security policies clearly define information security responsibilities for all personnel.

12.4.b
Interview a sample of responsible personnel to verify they understand the security policies.

Guidance

Without clearly defined security roles and responsibilities assigned, there could be inconsistent interaction with the security group, leading to unsecured implementation of technologies or use of outdated or unsecured technologies.

Requirement 12.5

Assign to an individual or team the following information security management responsibilities:

Testing Procedure

12.5
Examine information security policies and procedures to verify:

The formal assignment of information security to a Chief Security Officer or other security-knowledgeable member of management.
The following information security responsibilities are specifically and formally assigned:

Guidance for 12.5 through 12.5.5

Each person or team with responsibilities for information security management should be clearly aware of their responsibilities and related tasks, through specific policy. Without this accountability, gaps in processes may open access into critical resources or cardholder data.

Requirement 12.5.1

Establish, document, and distribute security policies and procedures.

Testing Procedure

12.5.1
Verify that responsibility for establishing, documenting and distributing security policies and procedures is formally assigned.

Guidance for 12.5 through 12.5.5

Requirement 12.5.2

Monitor and analyze security alerts and information, and distribute to appropriate personnel.

Testing Procedure

12.5.2
Verify that responsibility for monitoring and analyzing security alerts and distributing information to appropriate information security and business unit management personnel is formally assigned.

Guidance for 12.5 through 12.5.5

Requirement 12.5.3

Establish, document, and distribute security incident response and escalation procedures to ensure timely and effective handling of all situations.

Testing Procedure

12.5.3
Verify that responsibility for establishing, documenting, and distributing security incident response and escalation procedures is formally assigned.

Guidance for 12.5 through 12.5.5

Requirement 12.5.4

Administer user accounts, including additions, deletions, and modifications.

Testing Procedure

12.5.4
Verify that responsibility for administering (adding, deleting, and modifying) user account and authentication management is formally assigned.

Guidance for 12.5 through 12.5.5

Requirement 12.5.5

Monitor and control all access to data.

Testing Procedure

12.5.5
Verify that responsibility for monitoring and controlling all access to data is formally assigned.

Guidance for 12.5 through 12.5.5

12.6

12.6.1

12.6.2

Requirement 12.6

Implement a formal security awareness program to make all personnel aware of the importance of cardholder data security.

Testing Procedure

12.6.a
Review the security awareness program to verify it provides awareness to all personnel about the importance of cardholder data security.

12.6.b
Examine security awareness program procedures and documentation and perform the following:

Guidance

If personnel are not educated about their security responsibilities, security safeguards and processes that have been implemented may become ineffective through errors or intentional actions.

12.6

12.6.1

12.6.2

Requirement 12.6.1

Educate personnel upon hire and at least annually.

Note: Methods can vary depending on the role of the personnel and their level of access to the cardholder data.

Testing Procedure

12.6.1.a
Verify that the security awareness program provides multiple methods of communicating awareness and educating personnel (for example, posters, letters, memos, web-based training, meetings, and promotions).

12.6.1.b
Verify that personnel attend security awareness training upon hire and at least annually.

12.6.1.c
Interview a sample of personnel to verify they have completed awareness training and are aware of the importance of cardholder data security.

Guidance

If the security awareness program does not include periodic refresher sessions, key security processes and procedures may be forgotten or bypassed, resulting in exposed critical resources and cardholder data.

12.6

12.6.1

12.6.2

Requirement 12.6.2

Require personnel to acknowledge at least annually that they have read and understood the security policy and procedures.

Testing Procedure

12.6.2
Verify that the security awareness program requires personnel to acknowledge, in writing or electronically, at least annually, that they have read and understand the information security policy.

Guidance

Requiring an acknowledgement by personnel in writing or electronically helps ensure that they have read and understood the security policies/procedures, and that they have made and will continue to make a commitment to comply with these policies.

12.7

Requirement 12.7

Screen potential personnel prior to hire to minimize the risk of attacks from internal sources. (Examples of background checks include previous employment history, criminal record, credit history, and reference checks.)

Note: For those potential personnel to be hired for certain positions such as store cashiers who only have access to one card number at a time when facilitating a transaction, this requirement is a recommendation only.

Testing Procedure

12.7
Inquire with Human Resource department management and verify that background checks are conducted (within the constraints of local laws) prior to hire on potential personnel who will have access to cardholder data or the cardholder data environment.

Guidance

Performing thorough background investigations prior to hiring potential personnel who are expected to be given access to cardholder data reduces the risk of unauthorized use of PANs and other cardholder data by individuals with questionable or criminal backgrounds.

Requirement 12.8

Maintain and implement policies and procedures to manage service providers with whom cardholder data is shared, or that could affect the security of cardholder data, as follows: (See 12.8.1 through 12.8.5)

Testing Procedure

12.8
Through observation, review of policies and procedures, and review of supporting documentation, verify that processes are implemented to manage service providers with whom cardholder data is shared, or that could affect the security of cardholder data (for example, backup tape storage facilities, managed service providers such as web-hosting companies or security service providers, those that receive data for fraud modeling purposes, etc.), as follows: (See 12.8.1 through 12.8.5)

Guidance

If a merchant or service provider shares cardholder data with a service provider, certain requirements apply to ensure continued protection of this data will be enforced by such service providers.

Requirement 12.8.1

Maintain a list of service providers.

Testing Procedure

12.8.1
Verify that a list of service providers is maintained.

Guidance

Keeping track of all service providers identifies where potential risk extends to outside of the organization.

Requirement 12.8.2

Maintain a written agreement that includes an acknowledgement that the service providers are responsible for the security of cardholder data the service providers possess or otherwise store, process or transmit on behalf of the customer, or to the extent that they could impact the security of the customer’s cardholder data environment.

Note: The exact wording of an acknowledgement will depend on the agreement between the two parties, the details of the service being provided, and the responsibilities assigned to each party. The acknowledgement does not have to include the exact wording provided in this requirement.

Testing Procedure

12.8.2
Observe written agreements and confirm they include an acknowledgement by service providers that they are responsible for the security of cardholder data the service providers possess or otherwise store, process or transmit on behalf of the customer, or to the extent that they could impact the security of the customer’s cardholder data environment.

Guidance

The acknowledgement of the service providers evidences their commitment to maintaining proper security of cardholder data that it obtains from its clients.

In conjunction with Requirement 12.9, this requirement for written agreements between organizations and service provides is intended to promote a consistent level of understanding between parties about their applicable PCI DSS responsibilities. For example, the agreement may include the applicable PCI DSS requirements to be maintained as part of the provided service.

Requirement 12.8.3

Ensure there is an established process for engaging service providers including proper due diligence prior to engagement.

Testing Procedure

12.8.3
Verify that policies and procedures are documented and implemented including proper due diligence prior to engaging any service provider.

Guidance

The process ensures that any engagement of a service provider is thoroughly vetted internally by an organization, which should include a risk analysis prior to establishing a formal relationship with the service provider.

Specific due-diligence processes and goals will vary for each organization. Examples of considerations may include the provider’s reporting practices, breach-notification and incident response procedures, details of how PCI DSS responsibilities are assigned between each party, how the provider validates their PCI DSS compliance and what evidence they will provide, etc.

Requirement 12.8.4

Maintain a program to monitor service providers’ PCI DSS compliance status at least annually.

Testing Procedure

12.8.4
Verify that the entity maintains a program to monitor its service providers’ PCI DSS compliance status at least annually.

Guidance for 12.8.4 and 12.8.5

Knowing your service providers’ PCI DSS compliance status provides assurance and awareness about whether they comply with the same requirements that your organization is subject to. If the service provider offers a variety of services, this requirement should apply to those services delivered to the client, and those services in scope for the client’s PCI DSS assessment.

The specific information an entity maintains will depend on the particular agreement with their providers, the type of service, etc. The intent is for the assessed entity to understand which PCI DSS requirements their providers have agreed to meet.

Requirement 12.8.5

Maintain information about which PCI DSS requirements are managed by each service provider, and which are managed by the entity.

Testing Procedure

12.8.5
Verify the entity maintains information about which PCI DSS requirements are managed by each service provider, and which are managed by the entity.

Guidance for 12.8.4 and 12.8.5

12.9

Requirement 12.9

Additional requirement for service providers only:
Service providers acknowledge in writing to customers that they are responsible for the security of cardholder data the service provider possesses or otherwise stores, processes, or transmits on behalf of the customer, or to the extent that they could impact the security of the customer’s cardholder data environment.

Note: This requirement is a best practice until June 30, 2015, after which it becomes a requirement.

Testing Procedure

12.9
Additional testing procedure for service provider assessments only:
Review service provider’s policies and procedures and observe templates used for written agreements to confirm the service provider acknowledges in writing to customers that the service provider will maintain all applicable PCI DSS requirements to the extent the service provider possesses or otherwise stores, processes, or transmits cardholder data on behalf of the customer, or to the extent that they could impact the security of the customer’s cardholder data environment.

Guidance

Note: This requirement applies only when the entity being assessed is a service provider.

In conjunction with Requirement 12.8.2, this requirement is intended to promote a consistent level of understanding between service providers and their customers about their applicable PCI DSS responsibilities. The acknowledgement of the service providers evidences their commitment to maintaining proper security of cardholder data that it obtains from its clients.

The service provider’s internal policies and procedures related to their customer engagement process and any templates used for written agreements should include provision of an applicable PCI DSS acknowledgement to their customers. The method by which the service provider provides written acknowledgment should be agreed between the provider and their customers.

Requirement 12.10

Implement an incident response plan. Be prepared to respond immediately to a system breach.

Testing Procedure

12.10
Examine the incident response plan and related procedures to verify entity is prepared to respond immediately to a system breach by performing the following: (See 12.10.1 through 12.10.6)

Guidance

Without a thorough security incident response plan that is properly disseminated, read, and understood by the parties responsible, confusion and lack of a unified response could create further downtime for the business, unnecessary public media exposure, as well as new legal liabilities.

Requirement 12.10.1

Create the incident response plan to be implemented in the event of system breach. Ensure the plan addresses the following, at a minimum:

Roles, responsibilities, and communication and contact strategies in the event of a compromise including notification of the payment brands, at a minimum
Specific incident response procedures
Business recovery and continuity procedures
Data backup processes
Analysis of legal requirements for reporting compromises
Coverage and responses of all critical system components
Reference or inclusion of incident response procedures from the payment brands.

Testing Procedure

12.10.1.a
Verify that the incident response plan includes:

Roles, responsibilities, and communication strategies in the event of a compromise including notification of the payment brands, at a minimum
Specific incident response procedures
Business recovery and continuity procedures
Data backup processes
Analysis of legal requirements for reporting compromises (for example, California Bill 1386, which requires notification of affected consumers in the event of an actual or suspected compromise for any business with California residents in their database)
Coverage and responses for all critical system components
Reference or inclusion of incident response procedures from the payment brands.

12.10.1.b
Interview personnel and review documentation from a sample of previously reported incidents or alerts to verify that the documented incident response plan and procedures were followed.

Guidance

The incident response plan should be thorough and contain all the key elements to allow your company to respond effectively in the event of a breach that could impact cardholder data.

Requirement 12.10.2

Test the plan at least annually.

Testing Procedure

12.10.2
Verify that the plan is tested at least annually.

Guidance

Without proper testing, key steps may be missed, which could result in increased exposure during an incident.

Requirement 12.10.3

Designate specific personnel to be available on a 24/7 basis to respond to alerts.

Testing Procedure

12.10.3
Verify through observation, review of policies, and interviews of responsible personnel that designated personnel are available for 24/7 incident response and monitoring coverage for any evidence of unauthorized activity, detection of unauthorized wireless access points, critical IDS alerts, and/or reports of unauthorized critical system or content file changes.

Guidance for 12.10.3 and 12.10.4

Without a trained and readily available incident response team, extended damage to the network could occur, and critical data and systems may become “polluted” by inappropriate handling of the targeted systems. This can hinder the success of a post-incident investigation.

Requirement 12.10.4

Provide appropriate training to staff with security breach response responsibilities.

Testing Procedure

12.10.4
Verify through observation, review of policies, and interviews of responsible personnel that staff with responsibilities for security breach response are periodically trained.

Guidance for 12.10.3 and 12.10.4

Requirement 12.10.5

Include alerts from security monitoring systems, including but not limited to intrusion-detection, intrusion-prevention, firewalls, and file-integrity monitoring systems.

Testing Procedure

12.10.5
Verify through observation and review of processes that monitoring and responding to alerts from security monitoring systems are covered in the incident response plan.

Guidance

These monitoring systems are designed to focus on potential risk to data, are critical in taking quick action to prevent a breach, and must be included in the incident-response processes.

Requirement 12.10.6

Develop a process to modify and evolve the incident response plan according to lessons learned and to incorporate industry developments.

Testing Procedure

12.10.6
Verify through observation, review of policies, and interviews of responsible personnel that there is a process to modify and evolve the incident response plan according to lessons learned and to incorporate industry developments.

Guidance

Incorporating “lessons learned” into the incident response plan after an incident helps keep the plan current and able to react to emerging threats and security trends.

Goal: Maintain an Information Security Policy

Requirement 12.0

Maintain a policy that addresses information security for all personnel

A strong security policy sets the security tone for the whole entity and informs personnel what is expected of them. All personnel should be aware of the sensitivity of data and their responsibilities for protecting it. For the purposes of Requirement 12, “personnel” refers to full-time and part-time employees, temporary employees, contractors and consultants who are “resident” on the entity’s site or otherwise have access to the cardholder data environment.