NL +31 (0)20 4232420 / SP +34 937 379 542

This blog is part of a blog series on the 12 requirements of PCI DSS. We discuss the common challenges and explain what kind of evidence is needed to comply with the requirement. Here we discuss:


Requirement 12: Maintain a policy that addresses information security for all personnel.


This requirement is based on the security policy established by the entity and informs the company staff what is expected of them. All employees, contractors and consultants of the company with access to the data environment of the credit card, should be aware of the sensitivity of the data they handle and their responsibilities to protect them.


Challenges and steps to consider


  1. Write an information security policy that implements security measures to protect the company assets, especially card data. This policy should be known to all company personnel and should be updated annually to include relevant changes to the new threats protection.
  2. Perform an annual risk assessment that identifies threats and vulnerabilities that could negatively affect your business and include resources that reduce the probability and/or the potential impact of the threat. When doing the analysis, keep in mind known risk assessment methodologies include, among others, OCTAVE, ISO 27005 and NIST SP 800-30.
  3. Write and implement the use of policies for all personnel in which you can prohibit or indicate the correct use of certain devices and technologies.
  4. Define formally in the security policy and procedures of information security responsibilities for all personnel.
  5. Implement a formal security awareness program to raise awareness among all staff about the cardholder’s data security policies and procedures.
  6. Performing thorough background investigations prior to hiring potential personnel who are expected to be given access to cardholder data reduces the risk of unauthorized use of PANs and other cardholder data by individuals with questionable or criminal backgrounds.
  7. Maintain and implement policies and procedures to manage service providers that could affect the security of cardholder data.
  8. Implement an incident response plan contain all the key elements to allow your company to respond effectively in the event of a breach that could impact cardholder data.
  9. Check at least quarterly that all security policies and operating procedures requested by PCI DSS are followed by the responsible personnel.


Need help with PCI DSS implementation? Our QSAs can help out.

Read more about:
PCI DSS requirement 1: Protecting Cardholder data environment
PCI DSS requirement 2: Change your defaults
PCI DSS requirement 3: Don’t store cardholder data  
PCI DSS requirement 4: Encryption  
PCI DSS requirement 5: Update and Scan 
PCI DSS requirement 6: Develop and maintain secure systems and applications
PCI DSS requirement 7: Restrict access to CHD 
PCI DSS requirement 8: Identify, Authenticate, and Authorize  
PCI DSS requirement 9: Restrict physical access to Cardholder data 
PCI DSS requirement 10: Track and monitor all access to network resources en cardholder data
PCI DSS requirement 11: Regularly test security systems and processes