There’s more to PCI DSS v4.0 Requirement 12 than meets the eye

At Payment Card Assessments, LLC, we’ve launched our newest course that dives into:

  • What’s new: targeted risk analysis’, scope, service provider responsibilities, and more
  • Evidence and interviews that need to happen,
  • And the challenges organizations may face with PCI DSS v4.0 Requirement 12

Having a robust Information Security Policy is only a fraction of Requirement 12

Did you know there are 10 main sub-requirements in PCI DSS v4.0 Requirement 12? That’s right. 10. 

And did you know at each main sub-requirement has multiple sub-requirements? PCI DSS v4.0 requirement 12.2 and 12.7 are the only exception to this statement. Both have one sub-requirement.

CISO’s need to pay attention to requirement 12.1.4 because it’s now required that the information security policy formally assigns information security to the CISO or “other information security knowledgeable member of executive management.”

Service providers need to pay particular attention to PCI DSS Requirement 12.4 and its sub-requirements as these controls are specific to service providers only. 

Although…I make a compelling case for large organizations to incorporate Requirement 12.4 and its sub-requirements as it lays a foundation for a rock solid continuous PCI DSS v4.0 compliance program.

Are You Ready for Targeted Risk Analysis'?

Future dated requirements aren’t new and v4.0 has a total of 54 future dated requirements that you have exactly 12 months to put in place.

There’s a few to look out for in PCI DSS v4.0 Requirement 12.

In particular, Requirement 12.3, which is all about identifying, evaluating and managing risk to your cardholder data environment.

 Our overview course for Requirement 12 includes a thorough review of the targeted risk analysis (12.3.1) that’s required for 11 future dated requirements. We even include a template that Pro and Corporate subscribers can use.

Do You Have Your PCI DSS Scope in Order?

In case you’re just hearing this now, PCI DSS v4.0 Requirement 12.5 REQUIRES you to have your scope in order. 

If you’re already following our six simple steps to manage your PCI DSS scope and follow our recommended schedule to confirm and or update scope, your QSA will love you. Or at the very least, like you a whole lot.

This requirement is effective March 31, 2024. 

If you don’t have our Ultimate PCI DSS Scope Guide, now is the time to get it. 

Security Awareness Training

Security awareness training (12.6) is not a new requirement; however it does have a few future dated sub-requirements that you need to be incorporating THIS year to ensure you have this in place effective March 31, 2025.

Service Providers: Strongest Ally or Weakest Link

PCI DSS v4.0 Requirement 12.8 and its sub-requirements are the SAME as they’ve been for years. 

As more and more merchants reduce scope by shifting to Third Party Service Providers, now, more than ever is Requirement 12.8 relevant and important. 

We walk you through the steps to manage your TPSPs and build better partnerships with this critical component of your over PCI DSS compliance strategy.

Heads up Service Providers – yes, you do have to help your customers with their PCI DSS compliance. Please see Requirement 12.9

Incident Response Plan

The sub-requirements in PCI DSS v4.0 12.10 are mostly the same. There are 3 future dated requirements that you need to pay attention to.

  • You’ve got a new training frequency requirement that requires a TRA
  • A change and tamper mechanism for payment pages
  • An incident response procedure when unsupervised payment account data is discovered in places its not supposed to be.

Are you ready to get the low down on PCI DSS v4.0 Requirement 12? Today’s a great day to subscribe to our PCI Compliance Toolkit.


Discover more from Payment Card Assesments

Subscribe to get the latest posts sent to your email.

10 Critical Responsibilities of a PCI ISA

I remember when I was working as an IT Security Project Manager responsible for the implementation of 10 different security projects for the new. cardholder data at a Fortune 100 Company. They had a job posting for a PCI Compliance Program Manager and I thought, why not?

The job description looked easy enough. In fact, I flipped my resume over on a whim during lunch on a Friday. Got called by the internal recruiter within 20 minutes and was interviewed on Monday and hired by Wednesday.

I had no idea what was really in store for me. Nobody did.

Because nobody I interviewed with understood HOW to run a successful PCI DSS Compliance program for a level 1 merchant.

26 Apr 2024

The Internal Security Assessor’s Guide to Mastering PCI DSS Requirements With Frequencies

A PCI DSS compliance expert highlights the critical role of adhering to defined and periodic frequency requirements in maintaining security measures. Frequent reviews, such as every six months for network security control rule sets, are mandatory. Failure in compliance can lead to severe repercussions for organizations. Payment Card Assessments aids compliance through automation, education, and operation strategies, enhancing program effectiveness. Proper process implementation and training are essential for meeting PCI DSS standards and leveraging tools like the Requirement Frequency template enhances compliance management.

Leave a Reply

Discover more from Payment Card Assesments

Subscribe now to keep reading and get access to the full archive.

Continue reading