PCI-DSS Requirement 12 — Support Information Security with Organizational Policies and Programs
Enforced by: PCI SSC
Current as of March 31, 2022
Plain Language Summary
Comprehensive security policy reviewed annually. Incident response plan mandatory, tested annually, must specifically address card data breaches and notification to card brands.
A strong security policy sets the security tone for the whole entity and informs personnel what is expected of them. The information security policy must be reviewed at least annually. Requirement 12.10: Incident response plans must exist and be tested at least annually. The plan must include procedures for containing and minimizing damage, assessing affected systems, identifying the cause of compromise, reporting the incident, restoring operations, and preventing a recurrence. Card brand contacts must be notified per their requirements.