Data security policy

This is policy in progress. It is a necessary part of PCI Compliance.

Below is a dump of the security policy requirement for pci compliance

12.1

A security Policy is established, published, maintained, and disseminated, and it accomplishes the following:

More Information >> Help You must have an information security policy in place that states your method of protecting the security of sensitive information.

Your employees and all users of your network, such as vendors, contractors and business partners must be made aware of, and held accountable to the security policy. How to verify you are fulfilling this requirement - Examine the information security policy and verify that the policy is published and disseminated to all relevant system users (including vendors, contractors, and business partners).

12.1.3

Includes a review at least once a year and updates when the environment changes.

More Information >> Help Your information security policy must be reviewed at least annually. If necessary, more frequent updates should be made to reflect any new, known change in the risk environment. How to verify you are fulfilling this requirement - Verify that the information security policy is reviewed at least annually and updated as needed to reflect changes to business objectives or the risk environment.

12.3.a

Usage policies for critical employee-facing technologies (for example, remote-access technologies, wireless technologies, removable electronic media, laptops, personal data/digital assistants [PDAs], e-mail, and Internet usage) are developed to define proper use of these technologies for all employees and contractors.

More Information >> Help The clearer your policies around technology usage, the more secure your critical cardholder data will be. Even innocent actions by an employee can leave your company in a breach situation. Educating employees in a responsible manner will help maintain secure data properly.

Your user policy must address the proper usage of technologies like the Internet, email, wireless technology (PDA and other handheld devices), and laptops by your employees, vendors, and anyone else who uses your network. 12.4

The security Policy and Procedures clearly define Information Security responsibilities for all employees and contractors.

More Information >> Help Your information security policy must clearly state employee and contractor responsibilities.

For example, employees must not disable anti-virus on their computers, must not download executable files, and must not use P2P (peer-to-peer) or other filesharing methods (such as torrents). How to verify you are fulfilling this requirement - Verify that information security policies clearly define information security responsibilities for both employees and contractors. 12.5

The following Information Security management responsibilities are assigned to an individual or team.

More Information >> Help Ultimately, security management of cardholder data must fall under the responsibility of a single entity to avoid any confusion about accountability and execution. How to verify you are fulfilling this requirement - Verify the formal assignment of information security to a Chief Security Officer or other security-knowledgeable member of management. Obtain and examine information security policies and procedures to verify that the following information security responsibilities are specifically and formally assigned:

12.5.3

Establishing, documenting, and distributing security incident response and escalation Procedures to ensure timely and effective handling of all situations.

More Information >> Help You must specifically assign roles and responsibilities for response and escalation of any security breach.

For example, indicate who is responsible in the case of a virus, and who is responsible for media information. All employees should know exactly who to contact if they detect something unusual on the network. How to verify you are fulfilling this requirement - Verify that responsibility for creating and distributing security incident response and escalation procedures is formally assigned. 12.6

A formal security awareness program is in place to make all employees aware of the importance of Cardholder data security. (Please note, complimentary PCI 1-2-3 Security Awareness Training is available in the PCI Resources Section).

More Information >> Help You are responsible for your employees' awareness of the sensitivity of cardholder data. To this end, you must offer a required security awareness program for all employees. How to verify you are fulfilling this requirement - Verify the existence of a formal security awareness program for all employees. - Obtain and examine security awareness program procedures and documentation and perform.

12.8

If Cardholder data is shared with service providers, are policies and Procedures maintained and implemented to manage service providers, and the policies and Procedures include the following:

More Information >> Help If you share sensitive cardholder information with service providers like back-up storage facilities, security service providers, and Web hosting companies, you must manage and document these relationships. How to verify you are fulfilling this requirement - If the entity being assessed shares cardholder data with service providers (for example, back-up tape storage facilities, managed service providers such as Web hosting companies or security service providers, or those that receive data for fraud modeling purposes), through observation, review of policies and procedures, and review of supporting documentation. 12.8.1

A list of Service Providers is maintained.

More Information >> Help For example, your list may include the name of your web hosting company, payment processing company and data backup company. How to verify you are fulfilling this requirement - Verify that a list of service providers is maintained.

12.8.2

A written agreement is maintained that includes an acknowledgment that the Service Providers are responsible for the security of Cardholder data the Service Providers possess.

More Information >> Help You must have each service provider sign a written agreement stating it is responsible for the cardholder information your company has shared with it. How to verify you are fulfilling this requirement - Verify that the written agreement includes an acknowledgement by the service providers of their responsibility for securing cardholder data. 12.8.3

There is an established process for engaging service providers, including proper due diligence prior to engagement.

More Information >> Help You must prove that you have guidelines that govern your selection and hiring of outside service providers.

Your process must include conscientious investigation of providers before engaging them in business. How to verify you are fulfilling this requirement - Verify that policies and procedures are documented and were followed including proper due diligence prior to engaging any service provider.

12.8.4

A program is maintained to monitor service providers’ PCI DSS compliance status.

More Information >> Help You must monitor PCI DSS compliance status of all service providers you engage. How to verify you are fulfilling this requirement - Verify that the entity assessed maintains a program to monitor its service providers’ PCI DSS compliance status.