Back to Dashboard
Req 12: Support Information Security with Organizational Policies and Programs
Maintain a comprehensive information security policy.
Responsibility
Merchant
Compliance Status
In Progress
90%Overview
A strong security posture is supported by a formal, documented information security policy that sets the tone for the entire organization. This requirement ensures such a policy exists, is maintained, and is known to all relevant personnel.
Key Actions for Compliance
A non-exhaustive list of actions your organization should take to meet this requirement.
- Establish, publish, maintain, and disseminate a security policy.
- Implement a risk assessment process that is performed at least annually.
- Develop and maintain a security awareness program to ensure all personnel are aware of the importance of cardholder data security.
- Screen potential personnel before hire to minimize the risk of insider threats.
Testing Procedures (Simplified)
How auditors may verify that this requirement is met.
- Examine the information security policy to ensure it is reviewed at least annually and kept up to date.
- Review risk assessment documentation.
- Examine security awareness training materials and interview personnel to confirm they have completed the training.