PCI DSS Requirement 12: Leverage Policy to Improve Security

width="200" />

Learn how to get compliant with PCI DSS Requirement 12. 

Michael Simpson (QSA, CISSP, CCNP)

If your organization has ever had a Payment Card Industry Data Security Standard (PCI DSS) assessment, you’ve probably noticed the big emphasis on having documented security policies and procedures. During an assessment, QSAs will typically verify that specific requirements are defined in company policies and procedures. Then, they’ll follow predefined testing procedures to verify that those controls are implemented in accordance with the PCI Data Security Standard and with written company policies.

There’s a good reason for this emphasis on written policies and procedures. If you have well-defined security policies and procedures—and you train your employees to follow them—you’re more likely to maintain a PCI-compliant, secure environment.

Requirement 12 of the PCI DSS calls for businesses to "maintain a policy that addresses information security for all personnel." Documentation also helps protect your business from potential liability should an attacker breach your organization’s data. Thoroughly documenting security policies and procedures helps forensic investigators see what security measures your company has in place.

Where do I start with documenting my data security policies and procedures?

If you’re starting from scratch, the thought of drafting all the required PCI DSS policies and procedures probably seems daunting. To give you a place to start, here’s a list of some policy/procedure items that need to be documented:

• Firewall configuration/hardening standard
• Server and workstation hardening standards
• Data retention and disposal policies
• Software development life cycle
• User provisioning/de-provisioning procedures
• Password policies
• Physical security policies and procedures
• Log monitoring and escalation procedures
• Employee manuals 

• Appropriate use policies
• Staff training procedures
• Third-party vendor management 

• Disaster recovery and incident response plans 


One approach to starting your policy and procedure documentation is to look through the PCI DSS and take note of all requirements that would need to be addressed in the security policy. Think about the day-to-day duties of staff. Which ones would be made safer and more PCI-compliant with the help of a written procedure. We recommend that you reach out to your QSA and ask for a list of required policy elements to guide you in this process.

To save time, consider purchasing ‘PCI policies and procedures’ templates. Or, look for publicly available examples of written security policies. Using policy templates can greatly reduce the time it takes to generate policy documentation, but be sure you customize the templates to fit your unique environment. Otherwise, if you are following a ‘compliance as a checklist’ mentality, written policy and procedure documentation will do nothing to foster a security-minded workforce or to reduce your risk of becoming part of next year’s breach statistics.

Leverage your risk assessment process

PCI DSS Requirement 12.2 says you should perform an annual risk assessment that identifies critical assets, threats, and vulnerabilities. An annual risk assessment will help you identify, prioritize, and manage information security risks. While performing your risk assessment, look to see if any of the risks identified during the risk assessment process can be reduced by a change in your security policy or by drafting new procedure documentation and training staff on following the new procedures.

Your security policies and procedures should be living documents. As your business environment or the threat landscape changes, you should revise policies to address these changes. Companies should review their policies at least annually to ensure they still meet the needs of the business.

Train employees

To help protect sensitive data, make sure employees are aware of company policies and procedures, and that they receive regular security awareness training. While we might be inclined to believe employees should inherently understand foundational data security principles and accompanying policies and procedures, that is simply not the case. Here are some tips to help your staff become a security asset instead of a liability:

• Set monthly training meetings: focus each month on a different aspect of a data security, such as passwords, social engineering, email phishing, etc. 

• Remind frequently: could be an email, newsletter, during standup meetings, and/or a PCI DSS security webinar with education and tips.
• Train employees on new policies ASAP: address security and PCI policies with newly hired employees soon after they’re hired.
• Make training materials easily available: Intranet/internal sites are a great way to keep training and policy materials accessible.
• Create incentives: reward your employees for being proactive.

• Regularly test employees: foster an environment where employees aren’t afraid to report suspicious behavior. 


Vendor management

As you draft security policies, realize that the policies’ effects need to be felt beyond the doors of your business. No company runs in isolation. Your company’s information security policy needs to specifically address how it will manage third-party relationships—especially when those third parties can affect the security of your cardholder data. Vendor management policies should proscribe a “vendor vetting process” that will ensure you meet due diligence prior to engagement with a service provider. Your information security policy should also define a process for vendors to follow, to ensure all service providers continue to handle your company’s data in a secure and PCI-compliant manner.

Michael Simpson (QSA, CISSP, CCNP) is a Principal Security Analyst at SecurityMetrics and has been in the IT Security industry for 15 years. He has a Bachelor of Science in Computer Science and a Masters in Business Administration.