This information has been shared freely by Mark E.S. Bernard. If you find it useful please acknowledge this contribution.
If you would like additional information or assistance with the customization and implementation of a balanced risk
management process for your security program then please contact Mark @ 604-349-6557 or email@example.com
The following 13 control points defined within PCI DSS require annual management to provide
assurance of compliance in preparation for the annual Report on Compliance facilitated by the
designated PCI QSA. PCI DSS V2 includes 177 control points from which most can be integrated within
the current business processes and practices. The breakdown is as follows:
• 54% come under the responsibility of IT
• 32% Chief Information Security Officer CISO independent of IT
• 10% Development independent of IT and CISO
• 3% Operations, where card holder data is handled
• 3% Executive Governance
• 1% Human Resources, General Staff and Managers
• 9.5 Store media back-ups in a secure location, preferably an off-site facility, such as an alternate
or back-up site, or a commercial storage facility. Review the location’s security at least annually.
• 9.6 Physically secure all media. Verified by observation and documentation review that there is
an annual process in place to review security of storage locations.
• 9.8 Ensure management approves any and all media that is moved from a secured area
(especially when media is distributed to individuals).
• 9.9.1 Properly maintain inventory logs of all media and conduct media inventories at least
annually. 9.9.1 Obtain and review the media inventory log to verify that periodic media
inventories are performed at least annually.
• 12.1.2 Includes an annual process that identifies threats, and vulnerabilities, and results in a
formal risk assessment. (Examples of risk assessment methodologies include but are not limited
to OCTAVE, ISO 27005 and NIST SP 800-30.)
• 12.1.3 Includes a review at least annually and updates when the environment changes.
• 12.6.1 Educate personnel upon hire and at least annually. Note: Methods can vary depending on
the role of the personnel and their level of access to the cardholder data.
• 12.6.2 Require personnel to acknowledge at least annually that they have read and understood
the security policy and procedures.
• 12.8.1 Maintain a list of service providers.
• 12.8.4 Maintain a program to monitor service providers’ PCI DSS compliance status at least
• 12.9.2 Test the plan at least annually.
• 12.9.4 Provide appropriate training to staff with security breach response responsibilities.
• 12.9.6 Develop a process to modify and evolve the incident response plan according to lessons
learned and to incorporate industry developments.