What is PCI DSS Requirement 12.10?

PCI DSS Requirement 12.10 mandates that every entity handling payment card data implement and maintain an incident response plan capable of immediate activation on suspected or confirmed compromise of cardholder data, with annual training and testing.

How often must the PCI DSS 12.10 plan be tested?

At least annually under Requirement 12.10.2. The test should be a realistic scenario exercising the documented response procedures, with results captured and used to update the plan.

Is a PCI Forensic Investigator required for every cardholder data compromise?

PFI engagement is typically required by the card brand notification process when an actual compromise of cardholder data is confirmed. The acquiring bank or card brand will direct the entity to engage a qualified PFI from the PCI SSC list.

What changed in PCI DSS v4.0 for Requirement 12.10?

PCI DSS v4.0 (mandatory from 31 March 2025) strengthened the incident response capability requirements, expanded coverage to stored CHD outside the CDE, and added requirements for response to alerts from change-and-tamper detection mechanisms.

Does PCI DSS 12.10 require 24x7 response personnel?

Yes. Requirement 12.10.3 mandates designated personnel available on a 24x7 basis to respond to alerts. The personnel can be internal, contracted, or a managed service, but the capability must be continuous.

PCI DSS Requirement 12.10 - Incident Response Plan

PCI DSS Requirement 12.10 mandates that every entity handling payment card data implement and maintain an incident response plan capable of activation immediately on suspected or confirmed compromise of cardholder data. The requirement applies under PCI DSS v4.0 (the current version, mandatory from 31 March 2025) and earlier versions, with annual training and testing obligations.

Source: PCI DSS v4.0 (March 2022, mandatory from 31 March 2025), published by the PCI Security Standards Council.

The Seven Sub-Requirements

PCI DSS 12.10 contains seven sub-requirements:

12.10.1: An incident response plan exists and is ready to activate
12.10.2: The plan is reviewed and tested at least annually
12.10.3: Personnel are designated and available 24x7 for response
12.10.4: Personnel receive appropriate and periodic training
12.10.5: Alerts from security monitoring systems are responded to
12.10.6: The plan is modified based on lessons learned and changes
12.10.7: Incident response procedures are in place for storage of CHD outside the CDE

Notification Obligations

On confirmation of a compromise involving cardholder data, the entity must notify the affected card brands and acquiring bank promptly. Each card brand operates its own notification regime (Visa AIRS, Mastercard ADC, American Express EIRP, Discover DISC, JCB). A PCI Forensic Investigator (PFI) engagement is typically required.

What Changed in PCI DSS v4.0

Stronger emphasis on a documented incident response capability that scales with business risk
Requirements for response to specific alerts from change-and-tamper detection mechanisms
Requirements for the response plan to address compromise of stored cardholder data outside the CDE
Expanded testing expectations including realistic scenarios

Meet PCI DSS 12.10 with one platform

IR-OS supports the PCI DSS 12.10 incident response plan, annual testing, training records, and notification workflows for card brands and acquirers.

Start free

PCI DSS Requirement 12.10 - Incident Response Plan

The Seven Sub-Requirements

Notification Obligations

What Changed in PCI DSS v4.0

Related Terms

Meet PCI DSS 12.10 with one platform