TABLE OF CONTENTS


Having a strong security policy can set the tone for affecting the security of an entire company.  It informs employees of their expected duties in regards to security.  All employees should be aware of the sensitive nature of cardholder data and their role in protecting it.


Requirement 12: Maintain a policy that addresses information security for all personnel

  • Create, publish, maintain, and disseminate security policies.
    • Review the policies annually and update as changes are implemented
  • Implement a risk assessment process annually or when significant changes are made.
    • Changes should be made when the following occur:
      • Critical assets are added or removed
      • New threats confirmed
      • New vulnerabilities confirmed
  • Develop usage policies for critical systems for defining proper usage by employees.
    • These should include:
      • Remote access
      • Wireless
      • Removal media
      • laptops
      • Tablets
      • Handheld devices
      • Email
      • Internet usage
  • Ensure that security policies and procedures are clearly defined employee responsibilities .
    • Service providers will need to establish responsibilities for their executive management for data protection and PCI DSS compliance.
  • Assign to proper individuals or teams security responsibilities.
  • Implement formal security awareness programs to ensure employee awareness of these policies and procedures.
  • Screen personnel prior to hire to ensure risk is minimalized.
    • Employee history
    • Criminal records
    • Credit history
    • Reference Checks
  • Maintain and implement policies and procedures to manage service providers.
  • Service Providers should acknowledge in writing to customers their responsibilities for customer data security.
    • They should include the following:
      • They are responsible for the security of customer data.
      • The possess the following responsibilities for data on behalf of the customer.
        • Storing Data
        • Processing Data
        • Transmitting of Data
  • Implement incident response plans to respond immediately to system breaches.
  • Service providers must perform and document system reviews quarterly to confirm personnel are following policies and procedures.

Back to top


Additional Resources and Help!

Still have questions? Please contact us any time at support@ezsoftpos.com.


NOTE: If emailing, please include your business name in the subject line of the email

and provide your preferred contact information for the best response time.


Visit our help center Help Center for more guides and tutorials