1. Home
  2. Frameworks and Standards
  3. PCI DSS
  4. PCI DSS Requirement – 12.10.1.a
Searching...

PCI DSS Requirement – 12.10.1.a

Defined Approach Requirements

12.10.1 An incident response plan exists and is ready to be activated in the event of a suspected or confirmed security incident. The plan includes, but is not limited to:
• Roles, responsibilities, and communication and contact strategies in the event of a suspected or confirmed security incident, including notification of payment brands and acquirers, at a minimum.
• Incident response procedures with specific containment and mitigation activities for different types of incidents.
• Business recovery and continuity procedures.
• Data backup processes.
• Analysis of legal requirements for reporting compromises.
• Coverage and responses of all critical system components.
• Reference or inclusion of incident response procedures from the payment brands.

Customized Approach Objective

A comprehensive incident response plan that meets card brand expectations is maintained.

Applicability Notes

[No detail is provided here in the PCI DSS 4.0]

Defined Approach Testing Procedures

12.10.1.a Examine the incident response plan to verify that the plan exists and includes at least the elements specified in this requirement.
12.10.1.b Interview personnel and examine documentation from previously reported incidents or alerts to verify that the documented incident response plan and procedures were followed.

Purpose of requirement and procedures

Without a comprehensive incident response plan that is properly disseminated, read, and understood by the parties responsible, confusion and lack of a unified response could create further downtime for the business, unnecessary public media exposure, as well as risk of financial and/or reputational loss and legal liabilities.

Good practice

The incident response plan should be thorough and contain all the key elements for stakeholders (for example, legal, communications) to allow the entity to respond effectively in the event of a breach that could impact account data. It is important to keep the plan up to date with current contact information of all individuals designated as having a role in incident response. Other relevant parties for notifications may include customers, financial institutions (acquirers and issuers), and business partners.
Entities should consider how to address all compromises of data within the CDE in their incident response plans, including to account data, wireless encryption keys, encryption keys used for transmission and storage or account data or cardholder data, etc.
Examples
Legal requirements for reporting compromises include those in most US states, the EU General Data Protection Regulation (GDPR), and the Personal Data Protection Act (Singapore).
Further Information
For more information, refer to the NIST SP 800-
61 Rev. 2, Computer Security Incident Handling
Guide.

Definitions

[No detail is provided here in the PCI DSS 4.0]

 

Note: This sub-requirement requirement falls within the primary PCI DSS Requirement 12: Support Information Security with Organizational Policies and Programs and secondary requirement 12.10 Suspected and confirmed security incidents that could impact the CDE are responded to immediately..

What is the PCI DSS

The Payment Card Industry Data Security Standard (PCI DSS) is a set of security standards formed in 2004 by Visa, MasterCard, Discover Financial Services, JCB International and American Express. Governed by the Payment Card Industry Security Standards Council (PCI SSC), the compliance scheme aims to secure credit and debit card transactions against data theft and fraud.

While the PCI SSC has no legal authority to compel compliance, it is a requirement for any business that processes credit or debit card transactions. PCI certification is also considered the best way to safeguard sensitive data and information, thereby helping businesses build long lasting and trusting relationships with their customers.

Source: https://www.imperva.com/learn/data-security/pci-dss-certification/

What is the PCI SSC

The PCI SSC mission is to enhance global payment account data security by developing standards and supporting services that drive education, awareness, and effective implementation by stakeholders. We achieve this with a strategic framework to guide our decision-making process and ensure that every initiative is aligned with our mission and supports the needs of the global payments industry.

The four pillars of our strategic framework include:

  1. Increase industry participation and knowledge in the PCI Standards development process and stakeholder support for standards implementation. This ensures that standards and resources reflect and address industry needs and challenges.
  2. Evolve security standards and validation programs to support a range of environments, technologies and methodologies for achieving security. This ensures standards and resources that support and enable safe commerce and the flexibility to use different approaches to meet those standards.
  3. Secure emerging payment channels via development of PCI Standards and resources to support broader payment acceptance. This enables safe commerce in new and emerging card and card-based payment channels such as mobile and internet-of-things.
  4. Increase standards alignment and consistency of PCI Standards to minimize redundancy and support effective implementation.

PCI DSS certification

PCI certification ensures the security of card data at your business through a set of requirements established by the PCI SSC. These include a number of commonly known best practices, such as:

  • Installation of firewalls
  • Encryption of data transmissions
  • Use of anti-virus software

Source: https://www.imperva.com/learn/data-security/pci-dss-certification/

You can learn more about the PCI DSS at https://www.pcisecuritystandards.org/

Updated on October 15, 2022
Was this article helpful?
Yes No

Related Articles