|
About the Maintain an Information Security Policy category
|
|
0
|
5
|
February 9, 2023
|
|
12.11.1 Additional requirement for service providers only: Maintain documentation of quarterly review process to include:
|
|
0
|
5
|
February 26, 2023
|
|
12.11 Additional requirement for service providers only: Perform reviews at least quarterly to confirm personnel are following security policies and operational procedures. Reviews must cover the following processes:
|
|
0
|
6
|
February 26, 2023
|
|
12.10.6 Develop a process to modify and evolve the incident response plan according to lessons learned and to incorporate industry developments
|
|
0
|
8
|
February 26, 2023
|
|
12.10.5 Include alerts from security monitoring systems, including but not limited to intrusion-detection, intrusion-prevention, firewalls, and file-integrity monitoring systems
|
|
0
|
7
|
February 26, 2023
|
|
12.10.4 Provide appropriate training to staff with security breach response responsibilities
|
|
0
|
6
|
February 26, 2023
|
|
12.10.3 Designate specific personnel to be available on a 24/7 basis to respond to alerts
|
|
0
|
6
|
February 26, 2023
|
|
12.10.2 Review and test the plan, including all elements listed in Requirement 12.10.1, at least annually
|
|
0
|
7
|
February 26, 2023
|
|
12.10.1 Create the incident response plan to be implemented in the event of system breach. Ensure the plan addresses the following, at a minimum:
|
|
0
|
17
|
February 26, 2023
|
|
12.10 Implement an incident response plan. Be prepared to respond immediately to a system breach
|
|
0
|
9
|
February 26, 2023
|
|
12.9 Additional requirement for service providers only: Service providers acknowledge in writing to customers that they are responsible for the security of cardholder data the service provider possesses or
|
|
0
|
6
|
February 26, 2023
|
|
12.8.5 Maintain information about which PCI DSS requirements are managed by each service provider, and which are managed by the entity
|
|
0
|
6
|
February 26, 2023
|
|
12.8.4 Maintain a program to monitor service providers’ PCI DSS compliance status at least annually
|
|
0
|
6
|
February 26, 2023
|
|
12.8.3 Ensure there is an established process for engaging service providers including proper due diligence prior to engagement
|
|
0
|
5
|
February 26, 2023
|
|
12.8.2 Maintain a written agreement that includes an acknowledgment that the service providers are responsible for the security of cardholder data the service providers possess or otherwise store, process or transmit on behalf of the customer,
|
|
0
|
4
|
February 26, 2023
|
|
12.8.1 Maintain a list of service providers including a description of the service provided
|
|
0
|
7
|
February 26, 2023
|
|
12.8 Maintain and implement policies and procedures to manage service providers with whom cardholder data is shared, or that could affect the security of cardholder data, as follows:
|
|
0
|
6
|
February 26, 2023
|
|
12.7 Screen potential personnel prior to hire to minimize the risk of attacks from internal sources. (Examples of background checks include previous employment history, criminal record, credit history, and reference checks.)
|
|
0
|
13
|
February 26, 2023
|
|
12.6.2 Require personnel to acknowledge at least annually that they have read and understood the security policy and procedures
|
|
0
|
5
|
February 26, 2023
|
|
12.6.1 Educate personnel upon hire and at least annually
|
|
0
|
5
|
February 26, 2023
|
|
12.6 Implement a formal security awareness program to make all personnel aware of the cardholder data security policy and procedures
|
|
0
|
7
|
February 26, 2023
|
|
12.5.5 Monitor and control all access to data
|
|
0
|
2
|
February 26, 2023
|
|
12.5.4 Administer user accounts, including additions, deletions, and modifications
|
|
0
|
7
|
February 26, 2023
|
|
12.5.3 Establish, document, and distribute security incident response and escalation procedures to ensure timely and effective handling of all situations
|
|
0
|
6
|
February 26, 2023
|
|
12.5.2 Monitor and analyze security alerts and information, and distribute to appropriate personnel
|
|
0
|
4
|
February 26, 2023
|
|
12.5.1 Establish, document, and distribute security policies and procedures
|
|
0
|
4
|
February 26, 2023
|
|
12.5 Assign to an individual or team the following information security management responsibilities:
|
|
0
|
5
|
February 26, 2023
|
|
12.4.1 Additional requirement for service providers only: Executive management shall establish responsibility for the protection of cardholder data and a PCI DSS compliance program to include:
|
|
0
|
4
|
February 26, 2023
|
|
12.4 Ensure that the security policy and procedures clearly define information security responsibilities for all personnel
|
|
0
|
7
|
February 26, 2023
|
|
12.3.10 For personnel accessing cardholder data via remote-access technologies, prohibit the copying, moving, and storage of cardholder data onto local hard drives and removable electronic media, unless explicitly authorized for a defined business need
|
|
0
|
5
|
February 26, 2023
|