12.10 Suspected and confirmed security incidents that could impact the CDE are responded to immediately.

This requirement ensures that organizations have proper incident response procedures in place to quickly and effectively respond to security incidents that could impact cardholder data, minimizing potential damage and facilitating recovery.

Sub-requirements:

12.10.1 An incident response plan exists and is ready to be activated in the event of a suspected or confirmed security incident. The plan includes, but is not limited to:
12.10.4.1 The frequency of periodic training for incident response personnel is defined in the entity's targeted risk analysis, which is performed according to all elements specified in Requirement 12.3.1.
12.10.2 At least once every 12 months, the security incident response plan is:
12.10.3 Specific personnel are designated to be available on a 24/7 basis to respond to suspected or confirmed security incidents.
12.10.4 Personnel responsible for responding to suspected and confirmed security incidents are appropriately and periodically trained on their incident response responsibilities.
12.10.5 The security incident response plan includes monitoring and responding to alerts from security monitoring systems, including but not limited to:
12.10.6 The security incident response plan is modified and evolved according to lessons learned and to incorporate industry developments.
12.10.7 Incident response procedures are in place, to be initiated upon the detection of stored PAN anywhere it is not expected, and include:

12.10. An incident response plan is established and maintained.

Ensure that an incident response plan is documented, assigned, tested, and maintained to address security incidents involving cardholder data.

https://WithPCI.com

Sub-requirements

Test Points

Low-Moderate (2.3)

Implementation Difficulty

Control Types

Process

Documentation

Training

Process: 8

Documentation: 2

Training: 1

Key Risks

Uncoordinated or delayed incident response

Untrained responders

Inability to contain or recover from incidents

Frequently Asked Questions

What is required in an incident response plan?

Procedures for identifying, containing, eradicating, and recovering from security incidents, including roles and responsibilities.

How often must the incident response plan be tested?

At least annually, and after significant changes to systems or personnel.

Who should be trained on the incident response plan?

All personnel with responsibilities in the plan, including IT, security, and management.

How is evidence of testing and training maintained?

Through test reports, attendance logs, and training records.

What happens if an incident response plan is not maintained?

The organization may be unable to respond effectively to incidents, increasing risk and potential impact.

Common QSA Questions

Can you show your incident response plan and evidence of testing?

Yes, we maintain the current plan and logs of all tests and training sessions.

How are personnel trained and assigned to incident response roles?

Training is provided annually, and roles are documented in the plan and organizational charts.

How are incidents tracked and reviewed?

Through incident logs, post-incident reviews, and continuous improvement processes.

Your perspective on this PCI DSS requirement matters! Share your implementation experiences, challenges, or questions below. Your insights help other organizations improve their compliance journey and build a stronger security community.Comment Policy

Please enable JavaScript to view the comments powered by Disqus.Alternatively, you can view comments at our Disqus forum.