-
Actively manage security team data-protection responsibilities by establishing, updating and communicating security policies and procedures aligned with the results of regular risk assessments.
Requirement 12: Support information security with organizational policies and programs
- 2022 PSR
- Introduction
- Executive Summary
- The Compliance Landscape
- Commentary
- The State of Compliance
- Requirement 1 Install and Maintain Network Security Controls
- Requirement 2 Apply Secure Configurations to all System Components
- Requirement 3 Protect Stored Account Data
- Requirement 4 Protect Cardholder Data with Strong Cryptography
- Requirement 5 Protect All Systems and Networks from Malicious Software
- Requirement 6 Develop and Maintain Secure Systems and Software
- Requirement 7 Restrict Access to System Components
- Requirement 8 Identify Users and Authenticate Access
- Requirement 9 Restrict Physical Access to Cardholder Data
- Requirement 10 Log and Monitor System Components and Cardholder Data
- Requirement 11 Test Security of Systems and Networks Regularly
- Requirement 12 Support Information Security with Organizational Policies and Programs
- Bottom-20 Lists
- Methodology
- Appendices
- Download the full report (PDF)
Please provide the information below to view the online Verizon Payment Security Report.
Thank you.
You will soon receive an email with a link to confirm your access, or follow the link below.
Thank you.
You may now close this message and continue to your article.
-
Figure 28. Global state of PCI DSS compliance: Requirement 12
-
Full compliance: Requirement 12 saw the biggest gain across all 12 Key Requirements. In 2019, only 54.5% maintained compliance with this requirement, and it improved by 20.6 pp to 75.1% in 2020. This improvement is not due to an increased use of compensating controls, which actually reduced very slightly.
Control gap: The overall control gap for this requirement narrowed from 8.4% to 4.9%. This is due to Control 12.8.2 (written agreements with service providers), which improved by a substantial 11.4 pp. Control 12.6 (security awareness program) also improved substantially.
Compensating controls: The use of compensating controls remained almost unchanged (-0.1 pp) with very few organizations requiring any. Only Controls 12.1 (security policies) and 12.10 (incident response plan) were compensated.
-
Figure 29. Requirement 12 control performance
-
-
A tip on sustainable control effectiveness
Numerous applications are available to support the automation (scheduling, delivery and monitoring) of objectives under Requirement 12—such as policy communication, risk management, vendor management, user awareness and training applications. Attempting to manage communication via ordinary email is not advised. Automate and schedule the communication of compliance directives in advance, with automated email sent and response tracking integrated into issue tracking software.
-
Requirement 12: Support information security with organizational policies and programs
The goal
The goal of PCI DSS Key Requirement 12 is to develop and maintain a sustainable and secure control environment for the effective protection of payment card data by maintaining a comprehensive program, supported by an integrated set of documented organizational information security, risk management and compliance standards, policies and procedures, with oversight from a governance structure and supporting processes for effective execution and continuous improvement.
This goal includes complete integration with all related PCI DSS Key Requirements for the establishment of an effective, integrated series of control systems, and the development and ongoing improvement of all related capabilities, processes, documentation, tools and training needed to achieve < Quantitatively managed/Optimized > maturity of this key requirement by < insert date >.Goal applicability and scope considerations
- Documentation: Security policies, standards, procedures and guidance documents that cover all PCI DSS requirements, third-party vendor agreements, incident response plan, and security awareness program plan
- People: This goal applies to all employees (such as IT and security staff, accountants, support staff, call center agents, and executives), contractors, consultants, and internal and external vendors and other third parties that provide support or maintenance services, and any individuals who can access account data or any system component within the CDE
Goal requirements:
Some of the primary conditions necessary to achieve the goal
- Control environment: Establish and maintain an effective and sustainable control environment: the actions, policies, values and management styles that influence and set the tone of the day-to-day activities of the organization; a reflection of its values; the atmosphere in which people conduct their activities and carry out control responsibilities. An environment in which competent people understand their responsibilities, the limits of their authority, and are knowledgeable, mindful and committed to doing what is right and doing it the right way
- Security policy—design and documentation: Establish the capability to design, document and maintain a complete and integrated set of PCI security and compliance, and risk management policies, standards and procedures
- Security policy—training: Create the capability to design, implement and maintain supporting processes to effectively communicate and update, and to monitor user awareness and comprehension of the policy documentation set
- Capability—incident response: Establish the ability to develop a comprehensive incident response plan that covers all components within the CDE, and to test its effectiveness, and continuously improve it
- Capability—risk management: Maintain the ability to develop, implement and maintain a comprehensive risk management strategy, method and implementation plan with performance management
- Capability—resource management: Create the ability to develop, implement and maintain secure human resources and third-party management practices, policies and procedures
Strong dependencies and integration with other key requirements
- All Requirements: Security policies and standards required for all key requirements
- Requirements 10 & 11: Integration with logging, monitoring and testing for incident response
- Requirement 6: Risk management integration with secure systems and software requirements
- Requirements 5, 7, 8 & 9: Targeted risk analysis integration
Short-term objectives
- Communication: Make policy, standards procedures and guidance available online to all stakeholders and track access and use
- Training: Conduct online policy training, track which individuals read relevant security policies and completed the training (implementation coverage), and test their comprehension of the material presented
Long-term objectives
- Integrate: Improve the integration and alignment between policy, standards, procedure and guidance documentation. Frequent internal identification, reporting and correction of any misalignments
- Maturity: Achieve and maintain high-capability maturity on maintaining an effective control environment
Common constraints
- Competence: Incomplete, unclear, poorly articulated and ill-constructed security policies and standards
- Capability: Lack of information security proficiency; governance, program design, risk management, compliance management; inadequate training and education