O'Currance Teleservices - Requirement 12

Requirement 12: Maintain a policy that addresses information security for employees and contractors

A strong security policy sets the security tone for the whole company and informs employees what is expected of them. All employees should be aware of the sensitivity of data and their responsibilities for protecting it.

12.1 Establish, publish, maintain, and disseminate a security policy that accomplishes the following:

12.1.1 Addresses all requirements in this specification
12.1.2 Includes an annual process that identifies threats and vulnerabilities, and results in a formal risk assessment
12.1.3 Includes a review at least once a year and updates when the environment changes.

12.2 Develop daily operational security procedures that are consistent with requirements in this specification (for example, user account maintenance procedures, and log review procedures).
12.3 Develop usage policies for critical employee-facing technologies (such as modems and wireless) to define proper use of these technologies for all employees and contractors. Ensure these usage policies require the following:

12.3.1 Explicit management approval
12.3.2 Authentication for use of the technology
12.3.3 List of all such devices and personnel with access
12.3.4 Labeling of devices with owner, contact information, and purpose
12.3.5 Acceptable uses of the technologies
12.3.6 Acceptable network locations for the technologies
12.3.7 List of company-approved products
12.3.8 Automatic disconnect of modem sessions after a specific period of inactivity
12.3.9 Activation of modems for vendors only when needed by vendors, with immediate deactivation after use
12.3.10 When accessing cardholder data remotely via modem, prohibition of storage of cardholder data onto local hard drives, floppy disks, or other external media. Prohibition of cut-and-paste and print functions during remote access.

12.4 Ensure that the security policy and procedures clearly define information security responsibilities for all employees and contractors.
12.5 Assign to an individual or team the following information security management responsibilities:

12.5.1 Establish, document, and distribute security policies and procedures
12.5.2 Monitor and analyze security alerts and information, and distribute to appropriate personnel
12.5.3 Establish, document, and distribute security incident response and escalation procedures to ensure timely and effective handling of all situations
12.5.4 Administer user accounts, including additions, deletions, and modifications
12.5.5 Monitor and control all access to data.

12.6 Implement a formal security awareness program to make all employees aware of the importance of cardholder data security.

12.6.1 Educate employees upon hire and at least annually (for example, by letters, posters, memos, meetings, and promotions) Payment Card Industry (PCI) Data Security Standard 14
12.6.2 Require employees to acknowledge in writing that they have read and understood the company's security policy and procedures.

12.7 Screen potential employees to minimize the risk of attacks from internal sources. For those employees such as store cashiers who only have access to one card number at a time when facilitating a transaction, this requirement is a recommendation only.
12.8 If cardholder data is shared with service providers, then contractually the following is required:

12.8.1 Service providers must adhere to the PCI DSS requirements
12.8.2 Agreement that includes an acknowledgement that the service provider is responsible for the security of cardholder data the provider possesses.

12.9 Implement an incident response plan. Be prepared to respond immediately to a system breach.

12.9.1 Create the incident response plan to be implemented in the event of system compromise. Ensure the plan addresses, at a minimum, specific incident response procedures, business recovery and continuity procedures, data backup processes, roles and responsibilities, and communication and contact strategies (for example, informing the Acquirers and credit card associations)
12.9.2 Test the plan at least annually
12.9.3 Designate specific personnel to be available on a 24/7 basis to respond to alerts
12.9.4 Provide appropriate training to staff with security breach response responsibilities
12.9.5 Include alerts from intrusion detection, intrusion prevention, and file integrity monitoring systems
12.9.6 Develop process to modify and evolve the incident response plan according to lessons learned and to incorporate industry developments.

12.10 All processors and service providers must maintain and implement policies and procedures to manage connected entities, to include the following:

12.10.1. Maintain a list of connected entities
12.10.2. Ensure proper due diligence is conducted prior to connecting an entity
12.10.3. Ensure the entity is PCI DSS compliant
12.10.4. Connect and disconnect entities by following an established process.


Home Experience Services Overview Guarantee Our Technology The O'Currance Edge Technology Partners About Us Company History The O'Currance Model Executive Team Senior Mngt Team The Board Contact Us