SecurityMetrics

PCI Requirement 1: Firewalls

What is PCI Requirement 1?

The first PCI DSS requirement is to protect your business’s system with firewalls. Properly configured firewalls work to protect any sensitive card data that you process or store. Firewalls restrict incoming and outgoing network traffic through rules and criteria established by your organization.

When looking at what kind of firewalls are best for you, it’s important to know what options are available.

There are two types of firewalls you’ll want in place for your organization: hardware firewalls and software firewalls. Both provide a first line of defense for your network, but offer unique benefits:

Hardware firewalls are a more robust security option. They can protect an entire network and segment its internal areas. Hardware firewalls are typically more expensive, take time to properly configure, and need to be maintained and reviewed regularly.
Software firewalls are cheaper and easier to maintain. They are meant to protect a single host from internal threats—typically threats on employees’ mobile devices, which can move in and out of your secure environment. If an employee clicks on a link in a phishing email, a software firewall should prevent malware infection.

How do I comply with PCI Requirement 1?

Firewalls are a foundational and time-tested computer security defense. They play a crucial role in network protection and compliance with the Payment Card Industry Data Security Standard (PCI DSS).

However, with over 20 PCI DSS sub-requirements outlining firewall specifics, knowing where to start and what to focus on can be overwhelming.

Merely installing a firewall at the network perimeter isn't enough to achieve PCI DSS compliance. Proper installation, regular updates, and maintenance are essential. Remember, firewall rules must be reviewed semi-annually.

Here are five main components you’ll need to address to be compliant with PCI DSS Requirements:

Ensure Correct Firewall Configuration: Don't treat network firewalls as plug-and-play tech. Establish rules to dictate what's allowed in and what goes out. Regularly update and maintain firewall rules for maximum security.
Document Everything: Record firewall configurations and completed tasks for PCI DSS compliance and organization. Create diagrams, define roles, and justify allowed services.
Restrict Traffic: Control the flow of traffic around your cardholder data environment. Use network segmentation and rule sets to block unwanted traffic effectively.
Protect New Technology: Install personal network firewalls on mobile and employee-owned devices that connect to the Internet and access your network.
Monitor and Tighten Control: Review firewall and router rule sets every six months. Implement proper log management to detect and respond to potential security breaches effectively.

How does a firewall work?

Network firewalls can be software or hardware technologies that provide a first line of defense for a network. Firewalls restrict incoming and outgoing network traffic through rules and criteria configured by the organization.

A hardware firewall, or perimeter firewall, is installed between an organization’s network and the Internet to protect the systems inside. A software firewall only protects the device on which it is installed. Many computers come pre-installed with software firewalls, but for computers connecting to your cardholder data environment remotely, a personal firewall is required.

In summary, a hardware firewall protects environments from the outside world, and a software firewall protects a specific device from internal threats. For example, if an attacker tries to access your systems from the outside, your hardware firewall should block him. If a sales manager accidentally clicks on a phishing email scam, their computer’s software firewall should stop the malware from infecting the computer.

How do I set up a firewall?

Setting up a firewall can vary depending on the type of firewall you have (hardware or software) and the specific requirements of your network. However, here are some general guidelines for setting up your firewall.

Step 1: Secure your firewall

Update firmware and change default credentials. Create separate admin accounts with limited privileges. Disable Simple Network Management Protocol (SNMP) or use a secure community string.

Step 2: Architect firewall zones and IP addresses

Identify assets, group them by sensitivity, and create network zones accordingly. Use Internal IP addresses and network address translation (NAT) for internal networks. Switches with virtual local area networks (VLAN) are used for level-2 separation.

Step 3: Configure access control lists

Define traffic flow for each zone using specific access control lists (ACL) based on source/destination IP and port numbers. Include a deny-all rule at the end. Disable public access to admin interfaces.

Step 4: Configure other firewall services and logging

Enable needed services and disable unnecessary ones. Configure firewall to report to a logging server for PCI DSS compliance.

Step 5: Test your firewall configuration

Once you’re confident you’ve set it up properly, test it in a controlled environment and verify it blocks unwanted traffic. Include external and internal vulnerability scanning and penetration testing. Keep a secure backup of the configuration. Consult a security expert for review.

For more in-depth information, see also: How to Configure a Firewall in 5 Steps.

What are the advantages of using a firewall?

Using a firewall provides several advantages for enhancing network security and protecting sensitive data. Some of the key advantages of using a firewall include:

Network Protection:
Firewalls act as a barrier between your organization's internal network and networks from the outside world, such as the Internet. They control and monitor incoming and outgoing traffic, preventing unauthorized access and potential cyberattacks.
Access Control:
Firewalls enable administrators to set rules and access control lists (ACLs) that determine which traffic is allowed to enter or leave the network. This helps prevent unauthorized access to sensitive data and resources.
Threat Mitigation:
Firewalls can detect and block known threats, such as malware, viruses, and malicious code, from entering your network. They act as the first line of defense against various cyber threats.
Network Segmentation:
Firewalls allow for the creation of network zones and segments, separating different parts of the network based on their security requirements. This helps contain and limit the impact of a security breach.
Application Control:
Next-generation firewalls can inspect and control application-level traffic, allowing organizations to enforce policies related to the use of specific applications and services.
Monitoring and Logging:
Firewalls maintain logs of network activities, keeping track of who had access to your network and what they did, which can be extremely helpful for auditing and forensic purposes. Monitoring firewall logs can also aid in identifying potential security incidents.
Compliance and Cybersecurity Standards:
Many regulatory standards, such as the PCI DSS and the Health Insurance Portability and Accountability Act (HIPAA), require the use of firewalls as a fundamental security measure.
Prevent Data Exfiltration:
Firewalls can prevent unauthorized data exfiltration by monitoring and blocking suspicious outgoing traffic that may contain sensitive information.
Scalability:
Firewalls can be deployed in various configurations to fit the needs of small businesses, large enterprises, and cloud environments, making them adaptable to different network infrastructures.
Protection for Remote Users:
Firewalls can be extended to protect remote users and devices through virtual private network (VPN) connections, ensuring a secure connection to the organization's network.

What are the different types of firewalls?

There are several types of firewalls available, each with its own purpose, features, and functions. The most common types of firewalls include:

Packet Filtering Firewalls:
These are the most basic types of firewalls. They examine individual packets of data as they pass through the network. Packet filtering firewalls use predefined rules to allow or block traffic based on criteria like source IP address, destination IP address, protocol, and port numbers. While simple and efficient, they lack the ability to inspect the contents of packets, making them less effective against more sophisticated threats.
Stateful Inspection Firewalls:
Also known as dynamic packet filtering firewalls, stateful inspection firewalls maintain a state table to keep track of active connections. They analyze the state of the connection and apply more advanced filtering based on the context of the traffic. Stateful inspection firewalls can identify and block malicious traffic, offering better security than packet-filtering firewalls.
Proxy Firewalls:
Proxy firewalls act as intermediaries between clients and servers, handling communication on behalf of the clients. They receive requests from clients, validate and process them, and then forward the requests to the intended servers. Likewise, responses from servers are validated and processed before reaching the clients. Proxy firewalls provide better security and anonymity for internal systems but can introduce latency due to additional processing.
Next-Generation Firewalls (NGFW):
NGFWs combine the features of traditional firewalls with additional security technologies, such as intrusion prevention systems (IPS), application awareness, deep packet inspection (DPI), and SSL decryption. NGFWs offer more advanced threat detection and application-level control, allowing organizations to identify and block specific applications or categories of applications.
Cloud Firewalls:
Cloud-based firewalls are deployed and managed by cloud service providers, offering protection for cloud-based infrastructure and resources. They can be virtual appliances or part of cloud security services, offering scalable and flexible protection for cloud environments.

Which firewall is most suitable for my organization's needs?

The most suitable type of firewall for your organization depends on various factors, including:

Security Requirements
Network Complexity
Budget
Scalability
Compliance Requirements
User Requirements

Ultimately, the most suitable type of firewall for your organization will depend on a combination of these factors. It's essential to conduct a thorough assessment of your organization's needs and consult with cybersecurity experts or vendors to find the best fit for your specific requirements and limitations.

PCI Requirement 2: Passwords and settings

What is PCI requirement 2?

PCI Requirement 2 is to configure passwords and settings. This requirement is designed to ensure that organizations do not use default settings or passwords provided by vendors for their systems and security parameters. Default passwords are often well-known or easily discoverable by attackers, making systems vulnerable to unauthorized access and potential data breaches.

How do I comply with PCI requirement 2?

For Requirement 2, organizations must take the following actions:

Change default passwords:
Ensure that all default passwords provided by vendors for hardware, software, applications, and systems are changed during the initial setup. Use strong and unique passwords for each system component.
Customize security parameters:
Adjust system security parameters and settings to meet your organization's security needs. Avoid using standard configurations that may be known to attackers.
Securely manage passwords:
Implement strong password management policies, including using complex passwords, enforcing regular password changes, and limiting the number of login attempts.
Restrict access to passwords:
Limit access to passwords and other authentication credentials to only authorized personnel who require them for their job functions.
Document changes and configurations:
Maintain a record of changes made to passwords and security parameters for auditing and accountability purposes.

PCI Requirement 3: Protect stored cardholder data

What is PCI requirement 3?

PCI DSS Requirement 3 deals with protecting stored cardholder data. To fulfill this requirement, you’ll need to encrypt any sensitive payment card information that is stored. Encrypting information is taking sensitive data like payment card details and making them unreadable to anyone who isn’t supposed to read them.

The primary goal of this requirement is to minimize the risk of data breaches that could lead to the theft of cardholder information.

To achieve compliance with Requirement 3, organizations must adhere to the following key points:

Protect Stored Data
Use Encryption
Secure Key Management
Restrict Access
Secure Data Transmission
Regularly Update and Test

How do I comply with PCI requirement 3?

Stored card data must be encrypted using industry-accepted algorithms (e.g., AES-256). Unfortunately, many merchants don’t know they are storing unencrypted Primary Account Numbers (PANs).

Some places that may be hiding card data include:

Error logs: These often contain full card data when an error in card authentication occurs
Sales departments: They often have emailed or printed forms containing card data
Customer service representatives: Typically, they take card numbers over the phone and have handwritten card data
Administrative assistants: They may have a spreadsheet containing an executive’s card number for quick access

Not only must card data be protected to comply with PCI requirement 3, but the encryption keys must be protected as well. Leaving encryption keys unprotected is like storing your house key by leaving it in your front door lock, so it’s critical to use a solid PCI DSS encryption key management process.

Payment card data can easily leak due to poor processes or misconfigured software. It’s important to look where you think the data may be and then look where it shouldn’t be.

PCI DSS requires a current diagram for all card data flows in your organization. A card data flow diagram is a graphical representation of how card data moves through an organization. As you define your environment, ask all organizations and departments if they receive cardholder information and determine how their answers may change your current understanding of your organization’s card data flows.

In addition to looking at data flows and processes, you should regularly run a cardholder data discovery tool (such as PANscan® or PIIscan) on your systems. These tools help identify the location of unencrypted PAN. Knowing where PAN data is stored helps confirm if your CDE (card data environment) is secure. It also helps identify which processes or data flows might need to be adjusted.

Here are a few more things to think about while fulfilling Requirement 3:

Reduce your PCI scope:
The less you have to secure, the better. Streamline your card data flows and make sure you’re only storing what’s necessary.
Segment networks:
While not required by the PCI DSS, network segmentation keeps your cardholder data environment separate from the rest of your network, reducing risk.
Place an individual in charge of PCI compliance:
Becoming compliant can take time and effort. Establishing responsibility for PCI compliance can reduce confusion and increase accountability.

PCI Requirement 4: Encrypt transmission of cardholder data

What is PCI requirement 4?

PCI DSS Requirement 4 focuses on ensuring that cardholder data is transmitted securely across networks. This requirement aims to prevent unauthorized interception and access to cardholder data during transmission.

For requirement 4, you need to know where you send cardholder data. Here are common places where primary account numbers (PAN) are sent:

Processors
Backup servers
Third parties that store or handle PAN
Outsourced management of systems or infrastructure
Corporate offices

You also need to use encryption and have security policies in place when you transmit cardholder data over open, public networks.

How do I comply with PCI requirement 4?

To comply, ensure that cardholder data is transmitted securely over networks. Here are some tips to help you understand and meet Requirement 4:

Use Secure Protocols: Implement secure protocols like TLS (Transport Layer Security) or SSL (Secure Sockets Layer) for transmitting cardholder data. Avoid using older and insecure protocols like SSLv3 and early TLS versions (TLS 1.0).
Disable Insecure Protocols: Disable any insecure protocols, such as SSLv3 and early TLS versions. These protocols have known vulnerabilities and should not be used for transmitting sensitive data.
Regularly Update and Patch: Keep your systems and encryption libraries up to date with the latest security patches. This includes both client and server components involved in transmitting data.
Protect Wireless Communication: If cardholder data is transmitted over wireless networks, ensure the use of strong encryption mechanisms like WPA2. Avoid open or poorly secured wireless networks.
Limit Data Transmission: Transmit only the necessary cardholder data. Avoid sending sensitive authentication data (e.g., full magnetic stripe, CVV, or PIN data) unless required for transaction processing.
Implement Access Controls: Use strong access controls to restrict access to encryption keys and cardholder data during transmission. Ensure only authorized personnel can access these resources.
Regularly Test Encryption: Conduct regular security testing and vulnerability assessments to ensure the effectiveness of encryption mechanisms and protocols.
Document Policies and Procedures: Create and maintain documentation outlining your secure transmission policies and procedures. Provide guidelines for employees on how to handle and transmit cardholder data securely.

PCI Requirement 5: Anti-malware Software

What is PCI requirement 5?

For PCI Requirement 5, make sure that all systems are protected against malware and that you regularly update anti-malware software. Review your anti-malware software, install it on systems prone to malware, and frequently update these programs to detect known malware.

How do I comply with PCI requirement 5?

Deploy Anti-Malware Software: Install and maintain a working anti-malware software solution on all systems that handle cardholder data. This includes all servers, workstations, and mobile devices. Anti-malware software should be capable of detecting, removing, and protecting against all types of malicious software, including viruses, worms, Trojans, spyware, and other forms of malware.
Ensure Regular Updates: Ensure that your software is kept up to date with the latest malware definitions, scanning engines, and patches. Automated updates are often recommended to ensure the antivirus software remains effective in detecting and protecting against new threats.
Schedule Anti-Malware Scans: Implement a regular schedule for anti-malware scans. These scans should check for malware on all systems, including your POS devices. Verify that you or your POS vendor runs these scans at the recommended intervals.
Logging and Retention: Maintain comprehensive logs of all software activities, including scans, updates, and any detected malware. Logs should be retained according to PCI DSS requirements (typically a minimum of one year), and they should be available for review during assessments and investigations.

PCI Requirement 6: Updates and patches

What is PCI requirement 6?

PCI DSS Requirement 6 makes sure that you’re regularly updating and maintaining secure systems and applications. This requirement is aimed at verifying any software and systems used within your payment card environment are secure and do not introduce vulnerabilities that could be exploited by attackers.

Quickly implementing security updates is crucial to your security posture. Patch all critical components in the card flow pathway, including:

Internet browsers
Firewalls
Application software
Databases
POS terminals
Operating systems

How do I comply with PCI requirement 6?

The most important thing you can do is be vigilant and consistently update the software associated with your system.

You can also:

Establish a process for secure software development: Implement procedures to ensure that your organization's software and applications are developed securely.
Regularly assess and address vulnerabilities: Implement a process to identify and address vulnerabilities in your software. This includes regularly scanning for vulnerabilities, performing code reviews, and addressing any identified issues promptly.
Document and communicate policies: Establish and maintain policies and procedures to support secure software development practices. Ensure that your development team communicates and understands these policies.

PCI Requirement 7: Restricted access

What is PCI requirement 7?

To meet PCI DSS Requirement 7, you’ll need to restrict access to cardholder data and ensure that only authorized personnel have access.

PCI DSS requires a defined and up-to-date list of the roles (employees) with access to the card data environment. On this list, you should include each role, the definition of each role, access to data resources, current privilege level, and what privilege level is necessary for each person to perform normal business responsibilities. Authorized users must fit into one of the roles you outline.

How do I comply with PCI requirement 7?

Access control plays a significant role in data security and preventing data breaches. Organizations must document and implement access control policies, regularly review and update access privileges, and monitor access activities to ensure compliance with this requirement.

Here are some practices to implement to stay compliant with PCI requirement 7:

Limit access to system components and cardholder data to only those individuals whose job requires such access.
Establish an access control system for systems with multiple users that restricts access based on a “need to know” basis.
Ensure that security policies and operational procedures for restricting access to cardholder data are documented, in use, and known to all affected parties.
Keep access lists up to date. It's vital that access privileges are reviewed and updated regularly. This includes removing access for individuals who no longer require it.
Immediately revoke access for any terminated users.
Create and assign access privileges to individuals based on their job classification and function.
Group access to system components and cardholder data by job function, so only those with a legitimate business need can access.
Do not use group, shared, or generic IDs, passwords, or other authentication methods.
Restrict physical access to cardholder data.
Track and monitor all access to network resources and cardholder data.

PCI Requirement 8: Unique IDs

What is PCI requirement 8?

PCI DSS Requirement 8 involves identifying and authenticating access to system components. Authenticating access includes things like unique IDs, passwords, MFA, and temporary access. The primary goal of the requirement is to ensure that only authorized users can access system components and that their identities are properly authenticated.

How do I comply with PCI requirement 8?

PCI DSS Requirement 8 entails establishing unique IDs. Here are some tips to help you comply with Requirement 8:

Unique User IDs: Each individual with access to system components should have a unique user ID. This means no shared or generic accounts.
Secure Passwords: Passwords must be complex and unique for each user. They require a minimum password length and a combination of uppercase and lowercase letters, numbers, and special characters. Passphrases are also strongly recommended. Implement account lockout mechanisms to prevent brute force attacks. Passwords should be changed at least every 90 days.
Multi-Factor Authentication (MFA): Implement multi-factor authentication for all remote network access and for any personnel accessing the cardholder data environment. MFA requires users to provide two or more authentication factors (i.e., something they know, something they have, something they are) to gain access.
User Lockout: Enable an automatic lockout feature after a certain number of consecutive failed login attempts.
Temporary Access: Grant temporary access to individuals on a need-to-know basis only. Document the reason for granting temporary access and set specific expiration dates for such access.
Inactive User Accounts: Disable or remove user accounts that are inactive for a specific period.
Use of Default Passwords: Ensure that default passwords are changed before any system or application is deployed.

PCI Requirement 9: Physical Security

What is PCI requirement 9?

PCI DSS Requirement 9 is focused on restricting physical access to cardholder data and any other systems that require limited access. It’s essential for your business to physically limit access to areas with cardholder data, as well as document the following:

Who has access to secure environments, and why they need access
What, when, where, and why devices are used
A list of authorized device users
Locations where the device is and is not allowed
What applications can be accessed on the device

How do I comply with PCI requirement 9?

Employees might assume that physical security only matters after business hours.

However, it's important to recognize that many data thefts, such as social engineering attacks, take place during regular working hours. Usually, it’s when staff members are occupied with various tasks and may not readily notice an individual walking out of the office with valuable equipment like servers, company laptops, or phones.

Here are some practices you can implement to stay compliant with PCI requirement 9 and protect your systems:

Use Secure Access Methods: Use secure methods for accessing sensitive areas, such as key cards, access codes, or biometric controls. Avoid generic or easily shareable access methods like keys.
Visitor Access Control: Develop and implement visitor access policies. All visitors, including vendors and contractors, should be identified, given a unique badge or pass, and escorted when in sensitive areas.
Secure Document Storage: Ensure that any physical documents containing cardholder data are securely stored in locked cabinets or containers. Access to these documents should be controlled and limited to authorized personnel.
Physical Intrusion Detection: Use intrusion detection systems and alarm systems to monitor physical access and detect unauthorized entry.
Access to Cardholder Data on Computers and Servers: Control physical access to computers and servers that store or process cardholder data. These systems should be kept in secure areas to prevent tampering or unauthorized access.
Training and Awareness: Train employees and contractors on your organization's physical security policies and procedures. Create a culture of security awareness and skepticism around suspicious activity or potentially unauthorized individuals in the office; it’s always better to be safe than sorry.

PCI Requirement 10: Logging and log management

What is PCI Requirement 10?

This requirement establishes the need for organizations to track and monitor access to network resources and cardholder data through logs. From decades of PCI experience, we’ve found that non-compliance with requirement 10 was the most common contributor to data breaches. Proper logs help companies stay secure and mitigate breaches.

It’s also important to remember that logs are only useful if reviewed.

How do I comply with PCI requirement 10?

To comply with requirement 10, you’ll need to review logs at least daily to search for errors, anomalies, and suspicious activities that deviate from the norm. You’re also required to have a process in place to respond to these anomalies and exceptions. Protect stored log data against tampering and ensure that logs are backed up to prevent data loss.

Log monitoring systems, like Security Information and Event Monitoring tools (SIEM), can help you oversee network activity, inspect system events, alert of suspicious activity, and store user actions that occur inside your systems.

PCI Requirement 11: Vulnerability scans and penetration tests

What is PCI requirement 11?

PCI Requirement 11 is focused on the implementation of regular testing and the scanning of security systems and processes within an organization. Once your various security measures are in place, it’s important to ensure they are working as intended with things like penetration testing and vulnerability scans.

Even if you think you’re protected, your data may be at risk due to flaws in various components like web servers, web browsers, email clients, POS software, operating systems, and server interfaces.

While meeting requirement 6 (installing security updates and patches) can resolve many of these issues and security gaps before cyber attackers can exploit them, it's essential to validate that these vulnerabilities have been effectively addressed. To accomplish this, regular vulnerability scanning and penetration testing are essential. These procedures enable you to locate and assess potential weaknesses, ensuring that your security measures are robust and reliable before they process or store any sensitive data.

How do I comply with PCI requirement 11?

To comply with Requirement 11, you’ll need to test and validate your security systems and processes. To get started, take the following steps:

Regularly test security systems and processes: This includes performing regular internal and external network vulnerability scans. some text
- A vulnerability scan is an automated, high-level test that looks for and reports potential vulnerabilities. All external IPs (Internet Protocol addresses) and domains exposed in the CDE (card data environment) are required to be scanned by a PCI Approved Scanning Vendor (ASV) at least quarterly.
- A penetration test is an exhaustive, live examination designed to exploit weaknesses in your system. Just like a hacker, penetration testers analyze network environments, identify potential vulnerabilities, and try to exploit those vulnerabilities (or coding errors). Basically, these analysts attempt to break into your company’s network to show you how to fix your system before the real attackers actually break in.some text
  - Requirements for frequency and type of penetration test will vary depending on your SAQ, business size, environment, systems, etc.
Address vulnerabilities and weaknesses: The results of vulnerability scans and penetration tests should guide you through the remediation process. Address identified vulnerabilities promptly and make necessary improvements to your security systems and processes.

If your organization fills out an SAQ A, A-EP, D for Merchants, or D for Service Providers, there are additional security requirements to keep in mind.

Specifically, requirement 11.6.1 details exactly how these organizations need to implement change detection procedures and technologies to alert personnel to unauthorized modifications to the HTTP headers and contents of the pages used to house the TPSP iframe.

Such tamper-detection mechanisms must run at least weekly to look for unauthorized modifications to these critical web pages. SecurityMetrics offers a tool–called Shopping Cart Monitor–that helps meet this requirement.

PCI Requirement 12: Documentation and risk assessments

What is PCI requirement 12?

The final requirement for PCI compliance is to maintain and manage documentation, policies, procedures, and evidence relating to your company’s security practices.

If you go through a PCI audit, you'll quickly notice the strong emphasis placed on having comprehensive and well-documented security policies and procedures. During the assessment process, Qualified Security Assessors (QSAs) typically ensure that specific requirements are not only outlined in your company's policies and procedures but also rigorously tested for compliance with both the PCI Data Security Standard and the policies you have in place.

You will need to include the following information in your documentation:

Employee manuals
Policies and procedures
Third-party vendor agreements
Incident response plans

How do I comply with PCI requirement 12?

PCI Requirement 12 focuses on maintaining and demonstrating your security policy and procedure documentation, as well as conducting an annual risk assessment. To comply with this requirement, you need to take the following steps:

Document Security Policies and Procedures: Create and maintain detailed security policies and procedures that align with the PCI Data Security Standard (DSS) and the specific needs of your organization. Ensure these documents cover all 12 PCI requirements, addressing how your organization implements each one.
Employee Manuals: Develop employee manuals that provide guidance on security policies and procedures. Ensure that employees are aware of and have access to these manuals.
Third-Party Vendor Agreements: Maintain documentation related to third-party vendor agreements, especially those that involve handling cardholder data or other sensitive information. Confirm that vendors meet PCI DSS requirements or have appropriate compensating controls in place.
Incident Response Plans: Create and maintain an incident response plan that outlines how your organization will respond to security incidents or breaches. This plan should cover the process of identifying, reporting, and addressing security incidents.
Training and Awareness: Train employees and relevant personnel on the documented policies and procedures. Ensure that everyone in your organization is aware of their responsibilities regarding security practices.
Documentation Retention: Maintain records of your security documentation for at least three years. These records should include policies, procedures, and evidence of their implementation.

‍

How to Comply with the 12 Requirements of PCI Compliance