Contact Us

Requirement 12: Support information security with organizational policies and programs

2022 PSR

Please provide the information below to view the online Verizon Payment Security Report.

First Name: Last Name: E-mail: Organization: Organization type Country:

The information provided will be used in accordance with our terms set out in our Privacy Notice. Please confirm you have read and understood this Notice.

By submitting the form, you are agreeing to receive insights, reports and other information from Verizon and affiliated companies in accordance with our Privacy Policy. California residents can view our California Privacy Notice.

I confirm I have read and understood

Verizon may wish to contact you in the future concerning its products and/or services. If you would like to receive these communications from Verizon, indicate by selecting from the dropdown menu below. Please note that you can unsubscribe or update your preferences at any time.

Indicates a required field. The content access link will be emailed to you.

View only

Thank You.

Thank you.

You will soon receive an email with a link to confirm your access, or follow the link below.

Download this document

Thank you.

You may now close this message and continue to your article.

Requirement 12: Support information security with organizational policies and programs

The goal	The goal of PCI DSS Key Requirement 12 is to develop and maintain a sustainable and secure control environment for the effective protection of payment card data by maintaining a comprehensive program, supported by an integrated set of documented organizational information security, risk management and compliance standards, policies and procedures, with oversight from a governance structure and supporting processes for effective execution and continuous improvement. This goal includes complete integration with all related PCI DSS Key Requirements for the establishment of an effective, integrated series of control systems, and the development and ongoing improvement of all related capabilities, processes, documentation, tools and training needed to achieve < Quantitatively managed/Optimized > maturity of this key requirement by < insert date >.
Goal applicability and scope considerations	Documentation: Security policies, standards, procedures and guidance documents that cover all PCI DSS requirements, third-party vendor agreements, incident response plan, and security awareness program plan People: This goal applies to all employees (such as IT and security staff, accountants, support staff, call center agents, and executives), contractors, consultants, and internal and external vendors and other third parties that provide support or maintenance services, and any individuals who can access account data or any system component within the CDE
Goal requirements: Some of the primary conditions necessary to achieve the goal	Control environment: Establish and maintain an effective and sustainable control environment: the actions, policies, values and management styles that influence and set the tone of the day-to-day activities of the organization; a reflection of its values; the atmosphere in which people conduct their activities and carry out control responsibilities. An environment in which competent people understand their responsibilities, the limits of their authority, and are knowledgeable, mindful and committed to doing what is right and doing it the right way Security policy—design and documentation: Establish the capability to design, document and maintain a complete and integrated set of PCI security and compliance, and risk management policies, standards and procedures Security policy—training: Create the capability to design, implement and maintain supporting processes to effectively communicate and update, and to monitor user awareness and comprehension of the policy documentation set Capability—incident response: Establish the ability to develop a comprehensive incident response plan that covers all components within the CDE, and to test its effectiveness, and continuously improve it Capability—risk management: Maintain the ability to develop, implement and maintain a comprehensive risk management strategy, method and implementation plan with performance management Capability—resource management: Create the ability to develop, implement and maintain secure human resources and third-party management practices, policies and procedures
Strong dependencies and integration with other key requirements	All Requirements: Security policies and standards required for all key requirements Requirements 10 & 11: Integration with logging, monitoring and testing for incident response Requirement 6: Risk management integration with secure systems and software requirements Requirements 5, 7, 8 & 9: Targeted risk analysis integration
Short-term objectives	Communication: Make policy, standards procedures and guidance available online to all stakeholders and track access and use Training: Conduct online policy training, track which individuals read relevant security policies and completed the training (implementation coverage), and test their comprehension of the material presented
Long-term objectives	Integrate: Improve the integration and alignment between policy, standards, procedure and guidance documentation. Frequent internal identification, reporting and correction of any misalignments Maturity: Achieve and maintain high-capability maturity on maintaining an effective control environment
Common constraints	Competence: Incomplete, unclear, poorly articulated and ill-constructed security policies and standards Capability: Lack of information security proficiency; governance, program design, risk management, compliance management; inadequate training and education