PCI DSS – Requirement 12 – Maintain a Policy That Addresses Information Security for All Personnel•

PCI DSS – Requirement 12 – Maintain a Policy That Addresses Information Security for All Personnel

See it in action
By Max Edwards | Updated 5 March 2024

PCI DSS Requirement 12 mandates the establishment and maintenance of a comprehensive information security policy that is communicated to and understood by all personnel. This requirement is essential for fostering a culture of security awareness and ensuring that all employees are informed of their responsibilities in protecting cardholder data and maintaining the security of the organisation's information assets.

Jump to topic

What Is PCI DSS, Requirement 12?

When you’re navigating the complexities of PCI DSS compliance, understanding the core of Requirement 12 is crucial. This requirement serves as the backbone for protecting your organisation’s information assets by mandating a comprehensive information security policy.

The Essence and Impact on Information Security

PCI DSS Requirement 12 is fundamentally about governance. It insists on a robust information security policy that provides clear direction for safeguarding sensitive data. This policy is the cornerstone of your security strategy, ensuring that every aspect of cardholder data protection is addressed.

Role of Organisational Policies in Supporting Compliance

Organisational policies and programmes are not just a formality; they are active components of your security infrastructure. By aligning your policies with PCI DSS Requirement 12, you’re committing to a structured approach to data protection, risk management, and incident response.

Intersection with Other PCI DSS Requirements

Requirement 12 doesn’t operate in isolation. It intersects with other PCI DSS requirements to create a holistic security approach. For instance, it complements Requirement 11’s vulnerability management by ensuring that policies are in place to address identified risks.

ISMS.online Aligns with PCI DSS Requirement 12

At ISMS.online, we understand the intricacies of PCI DSS compliance. Our platform is designed to help you align your organisational policies with Requirement 12, ensuring a seamless integration of governance, risk management, and compliance activities. With our tools and resources, you can establish, maintain, and review your information security policies with confidence, knowing that they are in full alignment with PCI DSS standards.

Book a demo

Comprehensive Information Security Policy

At the heart of PCI DSS Requirement 12.1 is the mandate for a robust information security policy. This policy is your organisation’s blueprint for safeguarding cardholder data, and it must be comprehensive, clear, and current. Let’s explore the critical components and structure of this policy, as well as the review process to ensure its effectiveness over time.

Key Components of an Information Security Policy

Your information security policy should encompass:

  • Purpose and Scope: Clearly define the purpose of the policy and the data and resources it protects.
  • Roles and Responsibilities: Assign specific security responsibilities to individuals or teams.
  • Data Protection Measures: Outline the controls and practices to protect cardholder data.
  • Acceptable Use: Establish rules for the acceptable use of technology and information.
  • Risk Management: Include a process for identifying, assessing, and mitigating risks.

Structuring Your Policy for Clarity and Direction

To provide clear direction for asset protection, your policy should be:

  • Accessible: Ensure that the policy is easily accessible to all relevant personnel.
  • Understandable: Use clear, concise language that can be understood by all employees.
  • Enforceable: Include provisions for non-compliance and ensure that the policy can be enforced.

Reviewing and Updating Your Policy

We recommend that you:

  • Review Annually: Conduct a thorough review of your policy at least once a year.
  • Adapt to Changes: Update the policy to reflect changes in technology, threats, and business objectives.
  • Document Changes: Keep a record of changes to maintain a history of your policy’s evolution.

By adhering to these guidelines, you’re laying a solid foundation for compliance and security measures within your organisation. At ISMS.online, we provide the tools and support to help you develop and maintain a comprehensive information security policy that aligns with PCI DSS Requirement 12.


Get an 81% headstart

We've done the hard work for you, giving you an 81% Headstart from the moment you log on.
All you have to do is fill in the blanks.

Book a demo

Roles and Responsibilities for Security Governance

Effective security governance is pivotal for PCI DSS compliance, and it starts with clearly defined roles and responsibilities. As you navigate through Requirement 12, understanding who is accountable for each aspect of your information security is crucial. At ISMS.online, we provide a structured approach to help you establish and communicate these roles within your organisation.

Best Practices for Establishing Accountability

To ensure accountability within your security governance structure, consider the following best practices:

  • Identify Roles: List all roles involved in information security, from the executive team to the operational staff.
  • Assign Responsibilities: Clearly assign specific security tasks and responsibilities to each role.
  • Communicate Expectations: Make sure that everyone understands their security-related duties and how they contribute to PCI DSS compliance.

Supporting PCI DSS Compliance Efforts

A clear delineation of responsibilities aids in PCI DSS compliance by:

  • Ensuring Coverage: Confirming that all aspects of the standard are addressed by designated personnel.
  • Facilitating Training: Targeting training efforts to the roles that need it most.
  • Streamlining Audits: Making it easier for auditors to verify compliance by showing a well-defined governance structure.

Streamlining Management with ISMS.online

Our platform simplifies the management of roles and responsibilities by providing:

  • Centralised Documentation: Keep all role definitions and assignments in one accessible location.
  • Clear Workflows: Use our workflows to ensure tasks are completed by the right people.
  • Audit Trails: Maintain records of actions taken, supporting accountability and traceability.

By leveraging ISMS.online, you can ensure that your organisation’s security governance is well-defined, communicated, and aligned with PCI DSS requirements.


Implementing and Enforcing Acceptable Use Policies

Creating an effective acceptable use policy (AUP) is a cornerstone of PCI DSS Requirement 12.2. This policy governs how end-user technologies are utilised within your organisation, ensuring that their use does not compromise cardholder data security.

Crafting an Effective Acceptable Use Policy

An effective AUP should:

  • Specify Allowed and Prohibited Actions: Clearly outline what users can and cannot do with the organisation’s technology and data.
  • Be User-Friendly: Use language that is easy to understand for all employees, regardless of their technical expertise.
  • Include Consequences for Violations: Detail the repercussions of not adhering to the policy to ensure compliance.

Ensuring Compliance with PCI DSS Requirement 12.2

To ensure compliance, your organisation should:

  • Regularly Train Employees: Conduct training sessions to educate employees about the AUP and their responsibilities.
  • Monitor and Enforce: Use monitoring tools to ensure adherence and apply the policy consistently across the organisation.
  • Update as Needed: Regularly review and update the AUP to reflect new technologies and threats.

Overcoming Challenges in Policy Enforcement

Challenges in enforcing AUPs can include:

  • Lack of Awareness: Combat this by integrating the AUP into your onboarding process and regular staff training.
  • Resistance to Change: Address this by involving employees in the policy creation process and explaining the importance of compliance.

Contribution to Overall Security Posture

A well-implemented AUP enhances your security posture by:

  • Reducing Risks: Minimising the likelihood of security incidents due to misuse of technology.
  • Aligning with Best Practices: Ensuring that user behaviour aligns with industry standards and compliance requirements.

At ISMS.online, we understand the importance of a strong AUP and provide the tools and guidance to help you implement and enforce these critical policies effectively.


Compliance doesn't have to be complicated.

We've done the hard work for you, giving you an 81% Headstart from the moment you log on.
All you have to do is fill in the blanks.

Book a demo

Conducting Risk Assessments

Risk assessment is a critical component of PCI DSS Requirement 12.3, serving as the foundation for protecting cardholder data within your organisation. At ISMS.online, we provide a structured framework to guide you through this essential process.

Methodologies for Risk Assessment

For a thorough risk assessment in the cardholder data environment, you should consider:

  • Identifying Threats: Determine potential threats to cardholder data, such as cyber-attacks or internal vulnerabilities.
  • Evaluating Vulnerabilities: Assess the weaknesses in your systems that could be exploited.
  • Analysing Impact: Understand the potential impact of threats materialising, considering both financial and reputational consequences.

Frequency of Risk Assessments

To maintain PCI DSS compliance, conduct risk assessments:

  • Annually: At a minimum, perform a comprehensive risk assessment once a year.
  • After Significant Changes: Reassess risks whenever there are significant changes to your systems or business processes.

Role of Risk Management

Risk management plays a pivotal role by:

  • Prioritising Risks: Helping you focus on the most significant threats to cardholder data.
  • Guiding Mitigation Efforts: Informing the development of strategies to reduce risk to an acceptable level.

ISMS.online’s Role in Risk Assessment and Management

Our platform assists you by:

  • Streamlining Documentation: Making it easy to document and track your risk assessment findings and actions.
  • Facilitating Collaboration: Enabling your team to work together effectively on risk management tasks.

By leveraging ISMS.online, you can ensure that your risk assessment and management processes are thorough, up-to-date, and aligned with PCI DSS requirements.


Executive Management and Compliance

In the framework of PCI DSS compliance, the involvement of executive management is not just beneficial; it’s imperative. Requirement 12.4 emphasises the need for senior leadership to take an active role in overseeing and prioritising the organisation’s compliance efforts. At ISMS.online, we understand the significance of this directive and offer strategies to ensure that your executive team is effectively engaged.

The Crucial Role of Executive Management

Executive management assignment is crucial for:

  • Visibility: Ensuring that PCI DSS compliance is recognised as a key business priority.
  • Resource Allocation: Securing the necessary resources for effective compliance management.
  • Culture: Fostering a culture of security within the organisation.

Strategies for Senior Leadership Involvement

To involve senior leadership effectively, you should:

  • Regular Briefings: Keep the executive team informed with regular updates on compliance status and challenges.
  • Direct Involvement: Include executives in strategic discussions and decision-making processes related to PCI DSS.
  • Accountability: Assign specific compliance-related responsibilities to senior leaders.

Impact of Executive Engagement on Security Initiatives

Executive engagement can significantly influence the success of information security initiatives by:

  • Setting the Tone: Demonstrating a top-down commitment to security and compliance.
  • Strategic Alignment: Ensuring that information security initiatives are aligned with the organisation’s strategic goals.

By integrating these strategies, you’re not only aligning with PCI DSS Requirement 12.4 but also bolstering the overall effectiveness of your information security programme. With our support at ISMS.online, your executive team can navigate the complexities of PCI DSS compliance with confidence.


Manage all your compliance in one place

ISMS.online supports over 100 standards
and regulations, giving you a single
platform for all your compliance needs.

Book a demo

Documenting and the PCI DSS Scope

Accurate documentation and validation of the PCI DSS scope are critical steps outlined in Requirement 12.5. This process ensures that all system components and devices that store, process, or transmit cardholder data are identified and managed according to PCI DSS standards. At ISMS.online, we provide the tools and guidance to help you establish a comprehensive scope for your PCI DSS compliance efforts.

Maintaining an Accurate Inventory

To maintain an accurate inventory of your system components and devices, you should:

  • Catalogue All Assets: List all hardware and software components within the cardholder data environment (CDE).
  • Regular Updates: Keep the inventory current with regular reviews and updates whenever changes occur.
  • Verification: Periodically verify the accuracy of the inventory to ensure no component is overlooked.

Best Practices for Asset Tagging and Ownership

Effective asset management includes:

  • Tagging: Label each asset with a unique identifier for easy tracking.
  • Ownership Assignment: Assign an owner to each asset who is responsible for its maintenance and compliance.
  • Purpose Specification: Document the purpose of each asset to clarify its role within the CDE.

Contribution to Compliance Management

A well-defined PCI DSS scope enhances compliance management by:

  • Focusing Efforts: Directing security measures to where they are most needed.
  • Streamlining Audits: Facilitating the audit process.
  • Reducing Risks: Minimising the risk of overlooking assets that could be potential vulnerabilities.

By following these steps, you can ensure that your organisation’s PCI DSS scope is clearly defined, documented, and validated, contributing to a robust compliance management system.


Further Reading

Screening Personnel to Mitigate Insider Threats

In the context of PCI DSS Requirement 12.7, our focus at ISMS.online is to support you in implementing robust personnel screening processes. These processes are designed to reduce the risks from insider threats, which can be as damaging as external attacks.

Recommended Screening Processes

To mitigate insider threats, we recommend the following screening processes:

  • Background Checks: Conduct comprehensive background checks that include verification of employment history, criminal records, and reference checks.
  • Credit History Reviews: For roles with financial responsibilities, consider reviewing credit histories as part of the screening process.
  • Ongoing Assessments: Implement periodic reassessments to ensure continued compliance and address any changes in an employee’s background.

Alignment with Security and Privacy Regulations

Requirement 12.7 aligns with broader security and privacy regulations by:

  • Protecting Sensitive Data: Ensuring that individuals with access to cardholder data are trustworthy and reliable.
  • Complying with Legal Standards: Adhering to employment laws and privacy standards during the screening process.

Addressing Challenges in Personnel Screening

Challenges in personnel screening can be addressed by:

  • Clear Policies: Establishing clear policies on the scope and frequency of screenings.
  • Transparency: Being transparent with candidates about the screening process.
  • Consistency: Applying the screening process consistently across all relevant roles.

Enhancing the Security Framework

Effective personnel screening enhances your security framework by:

  • Building Trust: Creating a trustworthy environment where sensitive data is handled responsibly.
  • Reducing Risk: Lowering the risk of data breaches from within the organisation.

By incorporating these practices, you’re not only complying with PCI DSS but also strengthening your overall security posture.


Managing Third-Party Service Provider Risks

As it relates to PCI DSS compliance, managing the risks associated with third-party service providers is a critical aspect covered under Requirement 12.8. As part of our services at ISMS.online, we guide you through the essential considerations and best practices to ensure that your third-party relationships do not compromise your commitment to data security.

Key Considerations for Third-Party Risk Management

When managing third-party service provider risks, you should:

  • Assess Risks: Evaluate the potential risks each third-party service provider may introduce to your cardholder data environment.
  • Due Diligence: Perform thorough due diligence before onboarding new service providers to understand their security practices and compliance levels.

Ensuring Third-Party Compliance with PCI DSS

To ensure third-party compliance, your organisation must:

The Role of Written Agreements

Written agreements are crucial as they:

  • Clarify Expectations: Explicitly state the security measures that service providers must adhere to.
  • Define Liabilities: Outline the consequences of non-compliance or security breaches.

Monitoring and Validation Practices

To monitor and validate third-party compliance, consider implementing:

  • Regular Audits: Conduct audits of third-party practices against PCI DSS standards.
  • Continuous Monitoring: Use tools and services to monitor the security posture of third-party providers in real-time.

By following these steps, you can maintain a strong security stance while working with third-party service providers, ensuring that your organisation’s data remains protected in line with PCI DSS requirements.


Developing and Testing an Incident Response Plan

An incident response plan is a critical component of your organisation’s security strategy and a key requirement of PCI DSS Requirement 12.10. At ISMS.online, we emphasise the importance of a well-structured plan that prepares you for the unexpected, ensuring that you can respond swiftly and effectively to any security incident.

Essential Components of an Incident Response Plan

Your incident response plan should include:

  • Preparation: Establish roles and responsibilities for the incident response team.
  • Detection and Analysis: Outline procedures for identifying and assessing the incident.
  • Containment, Eradication, and Recovery: Define steps to control, eliminate the threat, and restore systems.
  • Post-Incident Activity: Include processes for reviewing and learning from the incident.

Testing and Reviewing the Incident Response Plan

To ensure the effectiveness of your incident response plan:

  • Conduct Regular Exercises: Test the plan with tabletop exercises and simulations.
  • Review Annually: Evaluate and update the plan at least once a year or after significant changes.

Training Provisions for the Incident Response Team

Ensure that your incident response team is well-prepared by providing:

  • Comprehensive Training: Cover all aspects of the plan and the team’s specific roles.
  • Regular Updates: Keep the team informed of new threats and changes to the plan.

Impact of a Robust Incident Response Plan

A robust incident response plan enhances organisational resilience by:

  • Minimising Damage: Reducing the impact and duration of security incidents.
  • Improving Response Times: Ensuring a quick and coordinated reaction to incidents.

By integrating these elements into your incident response strategy, you’re not only complying with PCI DSS but also fortifying your organisation’s defences against potential security breaches.


PCI DSS Requirement 12 and ISO 27001 Mapping

Navigating the complexities of compliance frameworks can be challenging. At ISMS.online, we understand the importance of aligning PCI DSS Requirement 12 with ISO 27001:2022 controls. This alignment not only streamlines your compliance efforts but also reinforces your information security management system.

Aligning Information Security Policies

For Requirement 12.1, which focuses on a comprehensive information security policy, the corresponding ISO 27001:2022 controls are:

  • A.5.1: Policies for information security
  • A.5.2: Review of the policies for information security
  • A.5.3: Roles, responsibilities, and authorities

Acceptable Use and End-User Technology Management

Under Requirement 12.2, acceptable use policies for end-user technologies must be defined and implemented, aligning with:

  • A.5.10: Acceptable use of information and other associated assets

Formal Risk Identification and Management

Requirement 12.3’s emphasis on risk management corresponds to ISO 27001:2022’s:

  • 6.1: Risk assessment process
  • A.5.9: Inventory of information and other associated assets

Oversight of PCI DSS Compliance

Managing PCI DSS compliance as per Requirement 12.4 is mapped to:

  • 5.36: Compliance with policies, rules, and standards for information security

Documentation and Validation of PCI DSS Scope

For documenting and validating the PCI DSS scope (Requirement 12.5), refer to:

  • 4.2: Interested parties

Ongoing Security Awareness Education

The ongoing activity of security awareness education in Requirement 12.6 aligns with:

  • A.6.3: Information security awareness, education, and training

Personnel Screening to Mitigate Insider Threats

Requirement 12.7’s personnel screening processes correspond to:

  • A.6.1: Screening

Managing Third-Party Service Provider Risks

Managing risks associated with third-party service providers (Requirement 12.8) is mapped to:

  • 5.21: Managing information security in the ICT supply chain

Supporting Customers’ PCI DSS Compliance

Third-party service providers supporting customers’ PCI DSS compliance (Requirement 12.9) align with:

  • A.5.20: Addressing information security within supplier agreements

Immediate Response to Security Incidents

Finally, the immediate response to security incidents (Requirement 12.10) corresponds to:

  • A.5.26: Response to information security incidents
  • A.8.12: Data leakage prevention

By understanding these mappings, you can ensure that your compliance efforts are not only meeting PCI DSS standards but are also in line with the best practices outlined in ISO 27001:2022.



How ISMS.online Helps with Requirement 12

Navigating PCI DSS Requirement 12 can be complex, but you’re not alone. At ISMS.online, we specialise in simplifying this process, providing comprehensive support to ensure your information security policies and programmes are robust and compliant.

How We Simplify Compliance

Our platform offers:

  • Guided Implementation: Step-by-step guidance to help you develop and implement the necessary policies and programmes.
  • Templates and Tools: Ready-to-use templates and tools that streamline the documentation and compliance processes.

Enhancing Your Security Posture

By partnering with us, you can:

  • Strengthen Policies: Utilise our expertise to create policies that are not only compliant but also enhance your security posture.
  • Ensure Continuity: Maintain an up-to-date and effective information security programme that evolves with your organisation’s needs.

The ISMS.online Advantage

Choosing ISMS.online means:

  • Integrated Management: A single platform that integrates all aspects of your information security management system.
  • Expert Support: Access to our team of experts who can provide tailored advice and support.

Let us help you demystify PCI DSS Requirement 12 and bolster your organisation's compliance efforts. Contact us today to learn more about how we can assist you.

Book a demo


PCI DSS Requirements Table

PCI DSS Requirement NumberPCI DSS Requirement Name
PCI DSS Requirement 1Install and Maintain a Firewall Configuration to Protect Cardholder Data
PCI DSS Requirement 2Do Not Use Vendor-Supplied Defaults for System Passwords and Other Security Parameters
PCI DSS Requirement 3Protect Stored Cardholder Data
PCI DSS Requirement 4Encrypt Transmission of Cardholder Data Across Open, Public Networks
PCI DSS Requirement 5Protect All Systems Against Malware and Regularly Update Antivirus Software or Programs
PCI DSS Requirement 6Develop and Maintain Secure Systems and Applications
PCI DSS Requirement 7Restrict Access to Cardholder Data by Business Need to Know
PCI DSS Requirement 8Identify and Authenticate Access to System Components
PCI DSS Requirement 9Restrict Physical Access to Cardholder Data
PCI DSS Requirement 10Track and Monitor All Access to Network Resources and Cardholder Data
PCI DSS Requirement 11Regularly Test Security Systems and Processes
PCI DSS Requirement 12Maintain a Policy That Addresses Information Security for All Personnel

complete compliance solution

Want to explore?
Start your free trial.

Sign up for your free trial today and get hands on with all the compliance features that ISMS.online has to offer

Find out more

Streamline your workflow with our new Jira integration! Learn more here.