PCI-DSS Requirement 12 mandates that organisations maintain a comprehensive set of information security policies and procedures to support the security of the cardholder data environment. Policies must be reviewed annually, distributed to all relevant personnel, and acknowledged by staff.

Required Policies

The following policies are required or strongly recommended under PCI-DSS:

Information Security Policy

The overarching policy that establishes the organisation's commitment to information security (Requirement 12.1). This policy must:

  • Address all PCI-DSS requirements
  • Be reviewed at least annually and updated when the environment changes
  • Define information security responsibilities for all personnel
  • Include an annual risk assessment process

Acceptable Use Policy

Defines acceptable use of critical technologies including (Requirement 12.2):

  • Remote access technologies
  • Wireless technologies
  • Removable electronic media
  • Laptops and mobile devices
  • Email and internet usage
  • Explicit approval by authorised parties for use of technologies
  • Authentication requirements for use of technologies

Remote Access Policy

Governs all remote access to the CDE and networks that can affect the CDE:

  • Multi-factor authentication required for all remote access (Requirement 8.4.2)
  • Encryption of all remote access sessions
  • Automatic disconnect of remote access sessions after a period of inactivity
  • Activation only when needed, with immediate deactivation after use for vendor access

Vendor Management Policy

Service provider management requirements (Requirement 12.8):

  • Maintain a list of all service providers with which account data is shared or that could affect the security of CHD
  • Written agreements with service providers acknowledging their PCI-DSS responsibilities
  • Due diligence process before engaging service providers
  • Monitor service providers' PCI-DSS compliance status annually
  • Track which PCI-DSS requirements are managed by each provider versus the organisation

Incident Response Policy

The incident response plan required by Requirement 12.10 (see the Incident Response article for full details):

  • Roles, responsibilities, and communication/notification procedures
  • Specific incident response procedures
  • Business recovery and continuity procedures
  • Reference to card brand notification requirements
  • Annual testing of the incident response plan

Data Retention Policy

Requirement 3.1 mandates a data retention and disposal policy that:

  • Defines the purpose and retention period for all cardholder data storage
  • Identifies all storage locations of cardholder data
  • Requires secure deletion/destruction of data that exceeds the defined retention period
  • Includes a quarterly process to identify and securely delete stored CHD exceeding defined retention
  • Specifies that SAD must never be stored after authorisation

Annual Review Requirement

PCI-DSS Requirement 12.1.2 mandates that the information security policy (and by extension, supporting policies) must be reviewed at least once every 12 months and updated as needed to reflect changes to:

  • Business objectives or the risk environment
  • The cardholder data environment (new systems, connections, or data flows)
  • Industry security standards or compliance requirements
  • Organisational structure, roles, or responsibilities

Staff Acknowledgment

PCI-DSS Requirement 12.6 requires a formal security awareness program. As part of this:

  • All personnel must receive security awareness training upon hire and at least annually
  • Personnel must acknowledge at least annually that they have read and understood the information security policy and procedures
  • Training must include awareness of threats to the security of cardholder data (phishing, social engineering)
  • Track acknowledgment records in Venvera — the Documentation module logs who has reviewed and acknowledged each policy

Policy Lifecycle in Venvera

Manage the full policy lifecycle:

  1. Draft — Create or update the policy document
  2. Under Review — Route for review by security team and stakeholders
  3. Approved — Policy is formally approved and effective
  4. Distributed — Policy is shared with all relevant personnel
  5. Acknowledged — Staff acknowledgment is tracked and recorded
  6. Superseded — Previous version is archived when a new version is approved
  7. Retired — Policy is no longer applicable and is archived