PCI DSS requirement 12 deals with documentation, training, and risk assessments. This blog will cover the changes made to the documentation requirements in v4.0.
PCI DSS requirement 12 deals with documentation, training, and risk assessments. This blog will cover the changes made to the documentation requirements in v4.0.
The final requirement for PCI compliance is to create and maintain comprehensive documentation, including:
If you are a service provider, your executive management is required to implement a PCI DSS Charter. This charter must establish responsibility for the protection of cardholder data and grant authority to create and implement a PCI DSS compliance program, including overall accountability for maintaining PCI DSS compliance. It must also define how the person responsible for PCI DSS compliance will communicate with executive management.
Third parties (e.g., partners, vendors, service providers) that have access to your CDE or cardholder data present a risk to the security of your environment. You must have a list of all third-party service providers you use, the PCI requirements these service providers impact or manage on your behalf, a process for performing due diligence prior to engaging a third party, and a way to monitor the PCI compliance of each third party you’ve engaged.
It is essential to have thorough and up-to-date documentation to demonstrate compliance with PCI requirements because when undergoing a PCI audit, Qualified Security Assessors (QSAs) will use that documentation as part of your assessment. They will verify that specific requirements outlined in company policies are accurately reflected in written documentation. They will also conduct testing procedures to ensure that the controls specified in the PCI Data Security Standard align with the company's documented policies and procedures.
Documentation helps protect your business from potential liability in the event of a breach. Thorough and accurately documented security policies and procedures help forensic investigators see what security measures your company has in place, and demonstrate your company’s proactive and committed approach to security.
A targeted risk analysis is documented to support each PCI DSS requirement which provides flexibility for how frequently it is performed.
A good way to satisfy this requirement is to do a NIST 800-30 risk assessment and include the threat events posed by the PCI requirements throughout the report, along with a baseline of threat events provided in the NIST 800-30 guidance document and any threat events that have or could occur to your environment based on the people, processes and technologies used.
The risk assessment should include a spreadsheet of threat events and their corresponding risk determination. The risk assessment should have management signoff and have CDE-wide (ideally organization-wide) contribution and should be a living document that is periodically updated. Ideally the risk assessment document would be used to justify security control expenditures and to prioritize mitigation and risk-treatment efforts.
A rigorous risk assessment and resulting documentation would satisfy the risk aspects of requirements: 1.2.6, 2.2.5, 5.2.3, 5.2.3.1, 5.3.2.1, 6.3.1, 6.3.3, 7.2.5.1, 8.6.3, 9.5.1.2.1, 10.4.2.1, 11.3.1, 11.3.1.1, 11.3.1.3, 11.4.1, 11.4.4, 11.6.1, 12.3.1, 12.7.1, 12.8, 12.10.4.1, A2.1.2, and Appendix B: Compensating Controls Worksheet (4. Identified Risk).
Cryptographic cipher suites and protocols in use are documented and reviewed.
As a check to ensure that data is not transmitted over insecure protocols or encrypted with insecure cryptographic cipher suites, requirement 12.3.3 requires companies to document and monitor all ciphers and protocols in use at least annually. Additionally, companies should have a procedure in place to respond to cryptographic vulnerabilities so that it’s possible to change from one suite to another.
Hardware and software technologies are reviewed.
Managing the hardware and software technologies in use in the CDE will ensure that end-of-life and vulnerable software and hardware are continuously being updated to a compliant state. In order to show evidence of compliance the assessor will want to see that you are receiving security notices and fixes, and documenting end-of-life plans and have a documented plan approved by senior management to remediate insecure and outdated technologies.
An annual scoping of your card data environment was mentioned in the initial discussion section of previous versions of PCI DSS, but now the Council has moved that into the requirements matrix under section 12 and made it a trackable requirement effective immediately for version 4.0.
So a documented scoping exercise will have to be done by merchants annually, or after any significant changes to the in-scope environment (e.g., people, systems, processes).
New for service providers will be a future-dated requirement to perform this scoping exercise at least every 6 months and after any organizational changes to the company.
Often, a company will look to the PCI QSA to define the scope of their CDE. And however helpful the QSA may try to be, the scope of the PCI assessment is owned by the entity, and the QSA plays the role of validating that the defined scope is appropriate for the entity’s card data flows or to the extent the entity can impact the security of the cardholder data environment. To show evidence of compliance with this requirement, there will need to be a documented scope and a bi-annual confirmation of that scope (or upon a significant change).
Organizations will need to enforce a more formal Security Awareness Program, where, before, you could get by with some basic security training.
Organizations will need to document and update their Security Awareness Program at least once every 12 months and as needed to address any new threats and vulnerabilities that may impact the security of their CDE or information provided to personnel about their role in protecting cardholder data.
To show evidence of compliance with this requirement the assessor will need to see the security awareness program content and will need to see evidence of the annual reviews, such as meeting notes, updates to the security awareness version table.
The standard now expects a security training program to discuss specific threats and vulnerabilities in your environment, as well as acceptable use of end-user technologies.
For example, if phishing is a big deal for your environment, then you need to address phishing in your training. The training program will also need to be documented, reviewed and updated at least annually.
As discussed in requirement 5.4.1, companies should be taking a defense-in-depth approach to prevent phishing and other social engineering-related attacks. To be compliant with requirement 12.6.3.1, a merchant’s security awareness training program needs to include education on how to detect, react to, and report phishing and social engineering attempts. It is also recommended that members of the merchant’s incident response team are made aware of how to properly respond to notifications of these types of attacks against the organization.
Documentation plays a crucial role in achieving and maintaining PCI DSS compliance. It serves as evidence of an organization's adherence to security policies and procedures, and it is a key component during PCI audits conducted by Qualified Security Assessors (QSAs).
Thorough and up-to-date documentation ensures that the specific requirements outlined in company policies are accurately reflected and implemented within the organization.
Thorough documentation is not only a requirement for PCI compliance, but it also serves as a valuable asset in demonstrating a commitment to security and protecting sensitive cardholder data.
.svg)
