top of page
< Back

12.2 PCI DSS (v3.2.1)

Compliance Standard

Compliance Version

Control ID




Requirement 12: Maintain a policy that addresses information security for all personnel


Implement a risk-assessment process that:
• Is performed at least annually and upon significant changes to the environment (for example, acquisition, merger, relocation, etc.),
• Identifies critical assets, threats, and vulnerabilities, and
• Results in a formal, documented analysis of risk.

Examples of risk-assessment methodologies include but are not limited to OCTAVE, ISO 27005 and NIST SP 800-30.

bottom of page