Framework № PCI DSS 4.0 от 01.03.2022

12.10.1
Defined Approach Requirements: 
An incident response plan exists and is ready to be activated in the event of a suspected or confirmed security incident. The plan includes, but is not limited to:

Customized Approach Objective:
A comprehensive incident response plan that meets card brand expectations is maintained. 

Defined Approach Testing Procedures:

Purpose:
Without a comprehensive incident response plan that is properly disseminated, read, and understood by the parties responsible, confusion and lack of a unified response could create further downtime for the business, unnecessary public media exposure, as well as risk of financial and/or reputational loss and legal liabilities. 

Good Practice:
The incident response plan should be thorough and contain all the key elements for stakeholders (for example, legal, communications) to allow the entity to respond effectively in the event of a breach that could impact account data. It is important to keep the plan up to date with current contact information of all individuals designated as having a role in incident response. Other relevant parties for notifications may include customers, financial institutions (acquirers and issuers), and business partners. 
Entities should consider how to address all compromises of data within the CDE in their incident response plans, including to account data, wireless encryption keys, encryption keys used for transmission and storage or account data or cardholder data, etc. 

Examples:
Legal requirements for reporting compromises include those in most US states, the EU General Data Protection Regulation (GDPR), and the Personal Data Protection Act (Singapore). 

Further Information:
For more information, refer to the NIST SP 800- 61 Rev. 2, Computer Security Incident Handling Guide. 

12.10.2
Defined Approach Requirements: 
At least once every 12 months, the security incident response plan is:

Customized Approach Objective:
The incident response plan is kept current and tested periodically. 

Defined Approach Testing Procedures:

Purpose:
Proper testing of the security incident response plan can identify broken business processes and ensure key steps are not missed, which could result in increased exposure during an incident. Periodic testing of the plan ensures that the processes remain viable, as well as ensuring that all relevant personnel in the organization are familiar with the plan. 

Good Practice:
The test of the incident response plan can include simulated incidents and the corresponding responses in the form of a “table-top exercise”, that include participation by relevant personnel. A review of the incident and the quality of the response can provide entities with the assurance that all required elements are included in the plan. 

Defined Approach Requirements: 
Specific personnel are designated to be available on a 24/7 basis to respond to suspected or confirmed security incidents. 

Customized Approach Objective:
Incidents are responded to immediately where appropriate. 

Defined Approach Testing Procedures:

Purpose:
An incident could occur at any time, therefore if a person who is trained in incident response and familiar with the entity’s plan is available when an incident is detected, the entity’s ability to correctly respond to the incident is increased. 

Good Practice:
Often, specific personnel are designated to be part of a security incident response team, with the team having overall responsibility for responding to incidents (perhaps on a rotating schedule basis) and managing those incidents in accordance with the plan. The incident response team can consist of core members who are permanently assigned or “on-demand” personnel who may be called up as necessary, depending on their expertise and the specifics of the incident. 
Having available resources to respond quickly to incidents minimizes disruption to the organization. 
Examples of types of activity the team or individuals should respond to include any evidence of unauthorized activity, detection of unauthorized wireless access points, critical IDS alerts, and reports of unauthorized critical system or content file changes. 

12.10.4
Defined Approach Requirements: 
Personnel responsible for responding to suspected and confirmed security incidents are appropriately and periodically trained on their incident response responsibilities. 

Customized Approach Objective:
Personnel are knowledgeable about their role and responsibilities in incident response and are able to access assistance and guidance when required. 

Defined Approach Testing Procedures:

Purpose:
Without a trained and readily available incident response team, extended damage to the network could occur, and critical data and systems may become “polluted” by inappropriate handling of the targeted systems. This can hinder the success of a post-incident investigation. 

Good Practice:
It is important that all personnel involved in incident response are trained and knowledgeable about managing evidence for forensics and investigations. 

12.10.4.1
Defined Approach Requirements: 
12.10.4.1 The frequency of periodic training for incident response personnel is defined in the entity’s targeted risk analysis, which is performed according to all elements specified in Requirement 12.3.1. 

Customized Approach Objective:
Incident response personnel are trained at a frequency that addresses the entity’s risk. 

Applicability Notes:
This requirement is a best practice until 31 March 2025, after which it will be required and must be fully considered during a PCI DSS assessment. 

Defined Approach Testing Procedures:

Purpose:
Each entity’s environment and incident response plan are different and the approach will depend on a number of factors, including the size and complexity of the entity, the degree of change in the environment, the size of the incident response team, and the turnover in personnel.
Performing a risk analysis will allow the entity to determine the optimum frequency for training personnel with incident response responsibilities. 

12.10.5
Defined Approach Requirements: 
The security incident response plan includes monitoring and responding to alerts from security monitoring systems, including but not limited to:

Customized Approach Objective:
Alerts generated by monitoring and detection technologies are responded to in a structured, repeatable manner. 

Applicability Notes:
The bullet above (for monitoring and responding to alerts from a change- and tamper-detection mechanism for payment pages) is a best practice until 31 March 2025, after which it will be required as part of Requirement 12.10.5 and must be fully considered during a PCI DSS assessment. 

Defined Approach Testing Procedures:

Purpose:
Responding to alerts generated by security monitoring systems that are explicitly designed to focus on potential risk to data is critical to prevent a breach and therefore, this must be included in the incident-response processes. 

12.10.6
Defined Approach Requirements: 
The security incident response plan is modified and evolved according to lessons learned and to incorporate industry developments. 

Customized Approach Objective:
The effectiveness and accuracy of the incident response plan is reviewed and updated after each invocation. 

Defined Approach Testing Procedures:

Purpose:
Incorporating lessons learned into the incident response plan after an incident occurs and in-step with industry developments, helps keep the plan current and able to react to emerging threats and security trends. 

Good Practice:
The lessons-learned exercise should include all levels of personnel. Although it is often included as part of the review of the entire incident, it should focus on how the entity’s response to the incident could be improved. 
It is important to not just consider elements of the response that did not have the planned outcomes but also to understand what worked well and whether lessons from those elements that worked well can be applied areas of the plan that didn’t. 
Another way to optimize an entity’s incident response plan is to understand the attacks made against other organizations and use that information to fine-tune the entity’s detection, containment, mitigation, or recovery procedures. 

12.10.7
Defined Approach Requirements: 
 Incident response procedures are in place, to be initiated upon the detection of stored PAN anywhere it is not expected, and include:

Customized Approach Objective:
Processes are in place to quickly respond, analyze, and address situations in the event that cleartext PAN is detected where it is not expected. 

Applicability Notes:
This requirement is a best practice until 31 March 2025, after which it will be required and must be fully considered during a PCI DSS assessment. 

Defined Approach Testing Procedures:

Purpose:
Having documented incident response procedures that are followed in the event that stored PAN is found anywhere it is not expected to be, helps to identify the necessary remediation actions and prevent future leaks. 

Good Practice:
If PAN was found outside the CDE, analysis should be performed to 1) determine whether it was saved independently of other data or with sensitive authentication data, 2) identify the source of the data, and 3) identify the control gaps that resulted in the data being outside the CDE. 
Entities should consider whether there are contributory factors, such as business processes, user behavior, improper system configurations, etc. that caused the PAN to be stored in an unexpected location. If such contributory factors are present, they should be addressed per this Requirement to prevent recurrence.