A3.2.6.1 Response procedures are implemented to be initiated upon the detection of attempts to remove cleartext PAN from the CDE

Defined Approach Requirements

A3.2.6.1 Response procedures are implemented to be initiated upon the detection of attempts to remove cleartext PAN from the CDE via an unauthorized channel, method, or process. Response procedures include:

• Procedures for the prompt investigation of alerts by responsible personnel.
• Procedures for remediating data leaks or process gaps, as necessary, to prevent any data loss.

PCI DSS Reference: Requirement 12

Customized Approach Objective

This requirement is not eligible for the customized approach.

Defined Approach Testing Procedures

A3.2.6.1.a Examine documented response procedures to verify that procedures for responding to the attempted removal of cleartext PAN from the CDE via an unauthorized channel, method, or process include all elements specified in this requirement:

• Procedures for the prompt investigation of alerts by responsible personnel.
• Procedures for remediating data leaks or process gaps, as necessary, to prevent any data loss.

A3.2.6.1.b Interview personnel and examine records of actions taken when cleartext PAN is detected leaving the CDE via an unauthorized channel, method, or process and verify that remediation activities were performed.

Purpose

Attempts to remove cleartext PAN via an unauthorized channel, method, or process may indicate malicious intent to steal data, or may be the actions of an authorized employee who is unaware of or simply not following the proper methods. Prompt investigation of these occurrences can identify where remediation needs to be applied and provides valuable information to help understand from where the threats are coming.