PCI compliance requirement 12: Policy

PCI compliance requirement 12: Policy

PCI compliance requirement 12: Policy

Date: Jun 01, 2009

Diana Kelley and Ed Moyle of Security Curve review PCI compliance requirement 12: "Maintain a policy that addresses information security." To meet PCI compliance Requirement 12, you must:

  • Author and maintain a body of policy documentation stating how to address DSS requirements.

The compliance duo addresses common questions related to PCI compliance requirement 12, including how new hires should be screened.

Watch the rest of the PCI compliance requirement videos.


Editor's note: This video is based on PCI DSS version 1.1. For updated information on the changes in PCI DSS version 1.2, see the following:

Read the full text transcript from this video below. Please note the full transcript is for reference only and may include limited inaccuracies. To suggest a transcript correction, contact editor@searchsecurity.com.    

PCI compliance requirement 12: Policy

Ed Moyle: So, the last requirement policy, what it means, you just have a
body of policy that addresses all the requirements of PCI. That is easy to
say, but it's pretty difficult to do. The recommendation here would be to
just step through and have a statement of compliance in your policy that
says we're going to adhere to PCI. In Requirement 12, spelled out pretty
specifically, is a list of things that you have to have over and above
that. So just make sure that you do that. There is some specific stuff in
here related to human resources and onboarding and screening and so on
One of the questions we get a lot is what are we screening for? Credit,
checking references, criminal history? As far as what you check for, this
is and, most likely, you're already doing something in this area and most
likely it's going to be good enough. So don't stress about the specifics
here, just document what you're doing, document why you think it's
sufficient, and most likely you're QSA will agree with you.

Diana Kelley: But be sure that you have all the pieces so there's one thing,
for example, incident response, which is kind of a throw off in the DSS.
It's, "Oh, and have incident response," but as anybody who's worked in
incidence response knows, this is actually very complex piece of work that
you need to do to be prepared to respond. So when you get to that point of
policy, make sure you're working with others within your organization to
see what they've done. And that actually applies for testing as well.
Because you may find that there are additional testing resources in your
company. So the quick hit on policy is you want to make sure that you have
one, or as many as you need. It has to be disseminated, have training in
awareness around PCI. Look, a lot of people don't understand that a
primary account number is on every credit card, so your employees may not
know how protected this data needs to be. So make sure you get the
training out there, and also take a look at what your vendors and what your
partners are doing for PCI. So, that was number 12, so yeah.

Ed Moyle: Whew, a lot of requirements.

Diana Kelley: That was a whirlwind. Lot of requirements. We'd just like to
wrap up really briefly to let you know to go through, read the
documentation yourself, so that you're aware of the best way to get ready
really, I think, is to use what the auditors are using, which is the
security audit procedures; and go through and see what they're going to be
testing you against. After you self assess, find out what your problems
are, have a litigation plan in place, and finally . . .

Ed Moyle: Sure. Yeah, if you can't meet a requirement, definitely look
to use compensating controls. Just meet the intent and rigor of the
requirement, make sure that they're documented, make sure that they're
agreed to, and you're good shape. But they're a stop gap though, they're
not a long term solution. So if you're going to put a compensating control
in, make sure it meets the intent and rigor and documented and ideally have
it there for one year.

Diana Kelley: Document everything that you're doing and that's going to help
you quite a bit preparing and going through the assessment.

More on PCI Data Security Standard

  • canderson

    Why infosec will increasingly rely on computer hardware security

    VIDEO - Video: Cryptography luminary Paul Kocher discusses why computer hardware security will play a larger role in the information security product ecosystem.
  • canderson

    PCI 3.0 changes: A PCI compliance requirements checklist for 2015

    VIDEO - In this presentation, compliance expert Nancy Rodriguez offers a line-by-line review of the key PCI DSS changes that become mandatory as of Jan. 1, 2015.
  • canderson

    Gartner on PCI DSS 3.0 changes: Bigger, harder and more expensive

    VIDEO - Gartner analyst Avivah Litan discusses how Gartner clients are reacting to the changes in PCI DSS 3.0, and whether the increased rigor in the standard will prove beneficial to enterprises.
  • National Vulnerability Database (NVD)

    Definition - NVD (National Vulnerability Database) is a product of the National Institute of Standards and Technology (NIST) Computer Security Division and is used by the U.S. Government for security management and compliance as well as automatic vulnerability management.
  • virtual payment terminal

    Definition - Virtual terminals allow sellers to take credit card payments online for orders made online or over the phone without requiring a card reader device.
  • ingress filtering

    Definition - Ingress filtering is a method of verifying that inbound packets arriving at a network are from the source computer they claim to be before entry (or ingress) is granted.
  • Beyond PCI: Out-of-band security tips for credit card data protection

    Tip - Securing credit card data -- both online and at brick-and-mortar stores -- requires security measures beyond those mandated by PCI DSS. Expert Philip Alexander outlines six out-of-band security controls to consider.
  • compensating control

    Definition - Compensating controls were introduced in PCI DSS 1.0, to give organizations an alternative to the requirements for encryption. The alternative is sometimes considered a loophole that creates a security risk.

There are Comments. Add yours.

TIP: Want to include a code block in your comment? Use <pre> or <code> tags around the desired text. Ex: <code>insert code</code>

REGISTER or login:

Forgot Password?
By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy
Sort by: OldestNewest

Forgot Password?

No problem! Submit your e-mail address below. We'll send you an email containing your password.

Your password has been sent to: