Want a Word document copy of the entire policy template? Sign up for the PCI DSS Guru newsletter and receive a free copy that you can edit and use in your organization!

(12.5) Chief Security Officer (or equivalent) is responsible for overseeing all aspects of information security, including but not limited to:

  • (12.5.1) creating and distributing security policies and procedures
  • (12.5.2) monitoring and analyzing security alerts and distributing information to appropriate information security and business unit management personnel
  • (12.5.3) (12.9) creating and distributing security incident response and escalation procedures that include:
  • (12.9.1) roles, responsibilities, and communication
  • (12.9.1) coverage and responses for all critical system components
  • (12.9.1) notification, at a minimum, of credit card associations and acquirers
  • (12.9.1) strategy for business continuity post compromise
  • (12.9.1) reference or inclusion of incident response procedures from card associations
  • (12.9.1) analysis of legal requirements for reporting compromises (for example, per California bill 1386)
  • (12.9.2) annual testing
  • (12.9.3, 12.9.5) designation of personnel to monitor for intrusion detection, intrusion prevention, and file integrity monitoring alerts on a 24/7 basis
  • (12.9.4) plans for periodic training
  • (12.9.6) a process for evolving the incident response plan according to lessons learned and in response to industry developments
  • (12.6; 12.6.1.a) maintaining a formal security awareness program for all employees that provides multiple methods of communicating awareness and educating employees (for example, posters, letters, meetings)
  • (10.6.a) review security logs at least daily and follow-up on exceptions

(12.2.a) The Information Technology Office (or equivalent) shall maintain daily administrative and technical operational security procedures that are consistent with the PCI-DSS (for example, user account maintenance procedures, and log review procedures).

System and Application Administrators shall:

  • (12.5.2) monitor and analyze security alerts and information and distribute to appropriate personnel
  • (12.5.4) administer user accounts and manage authentication
  • (12.5.5) monitor and control all access to data
  • (12.8.1) maintain a list of service providers
  • (12.8.3) ensure there is a process for engaging service providers including proper due diligence prior to engagment
  • (12.8.4, 12.4) maintain a program to verify service providers’ PCI-DSS compliant status, with supporting documentation
  • (10.7.a ) retain audit logs for at least one year

The Human Resources Office (or equivalent) is responsible for tracking employee participation in the security awareness program, including:

  • (12.6.1.b) facilitating participation upon hire and at least annually
  • (12.6.2) ensuring that employees acknowledge in writing at least annually that they have read and understand the company’s information security policy
  • (12.7) screen potential employees prior to hire to minimize the risk of attacks from internal sources

Internal Audit (or equivalent) is responsible for executing an annual (12.1.2) risk assessment process that identifies threats, vulnerabilities, and results in a formal risk assessment.

General Counsel (or equivalent) will ensure that for service providers with whom cardholder information is shared:

  • (12.8.1, 12.4) written contracts require adherence to PCI-DSS by the service provider
  • (12.8.2, 12.4) written contracts include acknowledgement or responsibility for the security of cardholder data by the service provider