12.10.5 The security incident response plan includes monitoring and responding to alerts from security monitoring systems, including but not limited to:

Defined Approach Requirements

12.10.5 The security incident response plan includes monitoring and responding to alerts from security monitoring systems, including but not limited to:

• Intrusion-detection and intrusion-prevention systems.
• Network security controls.
• Change-detection mechanisms for critical files.
• The change-and tamper-detection mechanism for payment pages. This bullet is a best practice until its effective date; refer to Applicability Notes below for details.
• Detection of unauthorized wireless access points.

Customized Approach Objective

Alerts generated by monitoring and detection technologies are responded to in a structured, repeatable manner.

Applicability Notes

The bullet above (for monitoring and responding to alerts from a change- and tamper-detection mechanism for payment pages) is a best practice until 31 March 2025, after which it will be required as part of Requirement 12.10.5 and must be fully considered during a PCI DSS assessment.

Defined Approach Testing Procedures

12.10.5 Examine documentation and observe incident response processes to verify that monitoring and responding to alerts from security monitoring systems are covered in the security incident response plan, including but not limited to the systems specified in this requirement.

Purpose

Responding to alerts generated by security monitoring systems that are explicitly designed to focus on potential risk to data is critical to prevent a breach and therefore, this must be included in the incident-response processes.