PCI DSS Blog Series – Requirement 12

The Payment Card Industry Data Security Standard (PCI DSS) consists of nearly 400 individual controls and is a critical part of staying in business for any merchant, service provider, or subservice provider who is involved in handling cardholder data. We find that companies considering PCI are often caught off guard by how comprehensive the PCI DSS is. So, we thought we would help!

CompliancePoint’s PCI blog series will analyze each of the twelve Requirement families. We will outline common challenges our customers face with each requirement, answer some frequently asked questions, and provide some pro tips on becoming PCI certified.

This week’s entry into the PCI Series is Requirement 12: Maintain a policy that addresses information security for all personnel

Requirement 12: Maintain a policy that addresses information security for all personnel

Maintain an Information Security Policy

The twelfth and final requirement for PCI DSS compliance emphasizes the need to maintain a strong policy that addresses information security for all personnel. This will institute the level of security the entity seeks to maintain. To achieve this, entities are required to not only maintain strong security policies but also ensure that all personnel understand these policies, the sensitivity of data (through data classification), and their individual responsibilities toward protecting such data.  

This requirement is one of the most crucial of all twelve requirements, in that, it places a huge emphasis on documented policies and procedures which cannot be overlooked in each of the previous requirements. For every requirement, an assessor ensures that the entity has written policies and or procedures in place before reviewing all other evidence provided to verify that those policies are indeed being implemented.

Why do you Need to Comply with Requirement 12?

As an organization, the importance of maintaining strong policies cannot be overemphasized as your policies eventually depict the culture of your organization. Policies are internal control mechanisms that help manage employee behavior and show stakeholders a degree of accountability on the part of the organization. PCI Requirement 12 sets the standard on how often these policies should be audited and reviewed to ensure implementation, thereby encouraging employee participation in maintaining security goals. It also cuts across all other requirements. It emphasizes employee and third-party responsibilities, teaches new behaviors, helps build a positive culture, and overall helps to maintain compliance.

What do you Need to Comply?

Typical documentation needed to comply with Requirement 12 includes, but is not limited to:

  • Information security policies and procedures
  • Usage policies
  • Operational security procedures
  • Screening procedures
  • Formal acknowledgment of adherence to policies
  • Incident response plan
  • Incident response plan testing report
  • Risk assessment report
  • Roles and responsibilities for network management and all other personnel
  • Security awareness program
  • Security training records
  • List of service providers
  • Service provider engagement agreements

What would your Assessor be looking for?

To test and assess Requirement 12, typically your assessor will:

  • Review the information security policy and procedures to ensure that all requirements are addressed
  • Review the process for updating the information security policy
  • Determine the measure for distributing the information security policy and interviewing personnel to verify knowledge and understanding of said policy and their responsibilities
  • Review information security awareness materials and how it is distributed
  • Review training materials and ensure that all personnel are included upon hire and at least annually
  • Interview human resource personnel to verify they understand screening processes
  • Review the list of third-party service providers and verify that due diligence processes are in place
  • Review the incident response plan and ensure it covers everything listed in Requirement 12.10
  • Review reports from previously reported incidents or alerts to verify that the incident response plan and procedures were followed
  • Review results from incident response plan testing
  • Review evidence of training for security response personnel
  • Interview security response personnel to verify procedures are in place

Download our guide to Getting Started with the PCI DSS


Any entity involved in the processing, transmission or storage of cardholder data understands the necessity of complying with PCI DSS. There is a never-ending war against information security breaches and as researchers come up with solutions, these attackers come up with even more sophisticated attack vectors, hence, the need to stay protected. PCI DSS is a security standard, not a regulation, enforced by contracts between payment brands, merchants and acquirers. Compliance with this standard would not only help build trust between an organization and its customers but also prevent data breaches that could amount to millions in fines and legal penalties.

CompliancePoint is a Qualified Security Assessor Company (QSAC). Our consultants have decades of experience as practitioners and auditors. Please reach out to us at connect@compliancepoint.com if you have any questions about this requirement or how CompliancePoint can assist your organization with preparing for your PCI DSS Certification.

Check Out Other Posts in this Series

Finding a credible expert with the appropriate background, expertise, and credentials can be difficult. CompliancePoint is here to help.