There’s more to PCI DSS v4.0 Requirement 12 than meets the eye

At Payment Card Assessments, LLC, we’ve launched our newest course that dives into:

  • What’s new: targeted risk analysis’, scope, service provider responsibilities, and more
  • Evidence and interviews that need to happen,
  • And the challenges organizations may face with PCI DSS v4.0 Requirement 12

Having a robust Information Security Policy is only a fraction of Requirement 12

Did you know there are 10 main sub-requirements in PCI DSS v4.0 Requirement 12? That’s right. 10. 

And did you know at each main sub-requirement has multiple sub-requirements? PCI DSS v4.0 requirement 12.2 and 12.7 are the only exception to this statement. Both have one sub-requirement.

CISO’s need to pay attention to requirement 12.1.4 because it’s now required that the information security policy formally assigns information security to the CISO or “other information security knowledgeable member of executive management.”

Service providers need to pay particular attention to PCI DSS Requirement 12.4 and its sub-requirements as these controls are specific to service providers only. 

Although…I make a compelling case for large organizations to incorporate Requirement 12.4 and its sub-requirements as it lays a foundation for a rock solid continuous PCI DSS v4.0 compliance program.

Are You Ready for Targeted Risk Analysis'?

Future dated requirements aren’t new and v4.0 has a total of 54 future dated requirements that you have exactly 12 months to put in place.

There’s a few to look out for in PCI DSS v4.0 Requirement 12.

In particular, Requirement 12.3, which is all about identifying, evaluating and managing risk to your cardholder data environment.

 Our overview course for Requirement 12 includes a thorough review of the targeted risk analysis (12.3.1) that’s required for 11 future dated requirements. We even include a template that Pro and Corporate subscribers can use.

Do You Have Your PCI DSS Scope in Order?

In case you’re just hearing this now, PCI DSS v4.0 Requirement 12.5 REQUIRES you to have your scope in order. 

If you’re already following our six simple steps to manage your PCI DSS scope and follow our recommended schedule to confirm and or update scope, your QSA will love you. Or at the very least, like you a whole lot.

This requirement is effective March 31, 2024. 

If you don’t have our Ultimate PCI DSS Scope Guide, now is the time to get it. 

Security Awareness Training

Security awareness training (12.6) is not a new requirement; however it does have a few future dated sub-requirements that you need to be incorporating THIS year to ensure you have this in place effective March 31, 2025.

Service Providers: Strongest Ally or Weakest Link

PCI DSS v4.0 Requirement 12.8 and its sub-requirements are the SAME as they’ve been for years. 

As more and more merchants reduce scope by shifting to Third Party Service Providers, now, more than ever is Requirement 12.8 relevant and important. 

We walk you through the steps to manage your TPSPs and build better partnerships with this critical component of your over PCI DSS compliance strategy.

Heads up Service Providers – yes, you do have to help your customers with their PCI DSS compliance. Please see Requirement 12.9

Incident Response Plan

The sub-requirements in PCI DSS v4.0 12.10 are mostly the same. There are 3 future dated requirements that you need to pay attention to.

  • You’ve got a new training frequency requirement that requires a TRA
  • A change and tamper mechanism for payment pages
  • An incident response procedure when unsupervised payment account data is discovered in places its not supposed to be.

Are you ready to get the low down on PCI DSS v4.0 Requirement 12? Today’s a great day to subscribe to our PCI DSS Training and Resource Center.


Leave a Reply

Your email address will not be published. Required fields are marked *

This field is required.

This field is required.