Want a Word document copy of the entire policy template? Sign up for the PCI DSS Guru newsletter and receive a free copy that you can edit and use in your organization!

12.2.a Will maintain daily operational security procedures consistent with this the PCI-DSS, including administrative and technical procedures for each of the requirements

(12.5) Chief Security Officer (or equivalent) is responsible for overseeing all aspects of information security, including but not limited to:

  • (12.5.1) creating and distributing security policies and procedures
  • (12.5.2) monitoring and analyzing security alerts and distributing information to appropriate information security and business unit management personnel
  • (12.8.4) monitoring service providers PCI compliance at least annually
  • (12.5.3) (12.9) creating and distributing security incident response and escalation procedures that include:

◦           (12.10.1) roles, responsibilities, and communication

◦           (12.10.1) coverage and responses for all critical system components

◦           (12.10.1) notification, at a minimum, of credit card associations and acquirers

◦           (12.10.1) strategy for business continuity post compromise

◦           (12.10.1) reference or inclusion of incident response procedures from card associations

◦           (12.10.1) analysis of legal requirements for reporting compromises (for example, per California bill 1386)

◦           (12.9.2) annual testing

◦           (12.9.3, 12.9.5) designation of personnel to monitor for intrusion detection, intrusion prevention, and file integrity monitoring alerts on a 24/7 basis

◦           (12.9.4) plans for periodic training

◦           (12.9.6) a process for evolving the incident response plan according to lessons learned and in response to industry developments

  • (12.6; 12.6.1.a) maintaining a formal security awareness program for all employees that provides    multiple methods of communicating awareness and educating employees (for example, posters, letters, meetings)
  • (10.6.a) review security logs at least daily and follow-up on exceptions

(12.2.a) The Information Technology Office (or equivalent) shall maintain daily administrative and technical operational security procedures that are consistent with the PCI-DSS (for example, user account maintenance procedures, and log review procedures).

System and Application Administrators shall

  • Monitor and analyze security alerts and information and distribute to appropriate personnel
  • (12.5.4) administer user accounts and manage authentication
  • (12.5.5) monitor and control all access to data
  • (12.10.1) maintain a list of connected entities
  • (12.10.2) perform due diligence prior to connecting an entity, with supporting documentation
  • (12.10.3, 12.4) verify that the entity is PCI-DSS compliant, with supporting documentation
  • (12.10.4) establish a documented procedure for connecting and disconnecting entities
  • (10.7.a ) retain audit logs for at least one year

The Human Resources Office (or equivalent) is responsible for tracking employee participation in the security awareness program, including:

  • (12.6.1.b) facilitating participation upon hire and at least annually
  • (12.6.2) ensuring that employees acknowledge in writing that they have read and understand the company’s information security policy
  • (12.7) screen potential employees to minimize the risk of attacks from internal sources

Internal Audit (or equivalent) is responsible for executing a (12.1.2) risk assessment process that identifies threats, vulnerabilities, and results in a formal risk assessment.

General Counsel (or equivalent) will ensure that for service providers with whom cardholder information is shared:

  • (12.8.1) contracts require adherence to PCI-DSS by the service provider
  • (12.8.2) contracts include acknowledgement or responsibility for the security of cardholder data by the service provider