Requirement 12: Maintain a policy that addresses information security for all personnel.

A security policy must be established and made known to all relevant personnel. It must be updated annually and whenever significant changes occur. Keep in mind that for almost every requirement of the PCI DSS, you required to have a correpsonding policy to ensure that the requirement is maintained. Therefore, it is a good idea to structure your privacy policy to match the order, numbering scheme, and language of the PCI DSS requirements and sub requirements. Doing this will make your privacy policy easier to navigate and reference. It will also help your PCI DSS assessments to go smoothly.

A risk assessment must be performed annually and after significant changes to identify critical assets, threats, and vulnerabilities. A documented analysis of risks should be produced and retained for reference and progress tracking in risk mitigation efforts.

Usage policies should be established for critical technologies to match the requirements of 12.3. These policies help to ensure that remote access devices and technologies are used only in approved ways.

Information security responsibilities should be defined clearly in the security policy (see 12.4 and 12.5 for more detail on this). Service providers must also define a charter for a PCI DSS compliance program and assign overall accountability for maintaining compliance with the PCI DSS.

A formal security awareness training program must be used to ensure that all employees are trained upon hire and at least annually on the importance of cardholder data security. Multiple methods of training should be in place, such as security awareness posters, email notifications, and/or computer-based training.

Screen new employees (or employees promoted to a role that requires access the CDE) with background checks to minimize the risk of attacks from inside sources.

Use a vendor management program to ensure that PCI Compliance is verified annually for all partners and service providers with whom cardholder data is sent, or who could impact the security of your cardholder data.

Establish an incident response plan, and test it at least annually. Specific incident response plan requirements are listed in requirement 12.10.

Go on to PCI Data Security Standard - What is it?.

Go back to Requirement 11 - Regular Security Testing.