Category: PCI DSS Requirement 12
Maintain a policy that addresses information security for all personnel.
PCI DSS Requirement 12 binds all the the previous requirements together since it defines the need for a robust and comprehensive information security policy within an entity. The Information Security Policy defines the culture, mindset and tone for the organization and provides a framework for all employees as to how they should approach information security and the handling of sensitive data, especially as it relates to cardholder data. This overarching policy must be communicated to the entire organization so that they all clearly understand their responsibilities. Within PCI DSS Requirement 12, the term “personnel” refers to any individual who has access to the entities cardholder data environment and thus access to sensitive cardholder data.