PCI DSS 12.10.3: Designate 24x7 Incident Response Personnel
Payment card data breaches don't wait for business hours—neither should your incident response. PCI DSS 12.10.3 requires your organization to have specific personnel available round-the-clock to detect, investigate, and respond to suspected or confirmed security incidents. This control ensures you can respond immediately when a breach occurs, minimizing damage and meeting compliance obligations.
What this means
This control mandates that you designate specific individuals or teams who are contractually or employment-obligated to be available 24 hours a day, 7 days a week to respond to security incidents. These personnel must have the authority, knowledge, and access to take immediate action when a breach is detected—whether through automated alerts, customer reports, or internal discovery. The requirement isn't that one person covers all hours; instead, you need documented coverage schedules, backup responders, and clear escalation procedures to ensure no incident goes unaddressed due to unavailable staff.
How to comply
- 1.Identify and formally designate incident response personnel with explicit 24/7 availability requirements in their job descriptions or contracts
- 2.Create a documented on-call schedule that ensures coverage across all time zones and holidays with primary and backup responders
- 3.Define clear incident response roles, responsibilities, and decision-making authority for each designated person
- 4.Ensure designated personnel have access to incident detection systems, logging platforms, and communication channels at all times
- 5.Establish escalation procedures and contact information (phone, email, messaging) for reaching responders outside normal business hours
- 6.Train all designated personnel on incident identification, initial response procedures, and when to escalate to management or external resources
- 7.Review and update 24/7 coverage arrangements quarterly or whenever personnel changes occur
- 8.Document proof of availability through signed acknowledgments, on-call agreements, or RACI matrices
Evidence auditors look for
- On-call schedule showing 24/7 coverage with named personnel and their contact information
- Job descriptions or employment contracts explicitly requiring 24/7 incident response availability
- Incident response policy documenting designated responders and their roles
- Call log or RACI matrix showing incident response team structure and backup coverage
- Training records confirming designated personnel completed incident response procedures training
- Evidence of testing (incident response drills) showing designated personnel can be reached and respond
- Escalation procedures document with names, titles, and contact information
- Communication system access logs or VPN records demonstrating responders can access systems outside business hours
Frequently asked questions
When will FAQs be available?
The FAQ for this control is currently being prepared.
GRCWatch automates incident response tracking and scheduling, maintaining your 24/7 coverage matrix in one place, sending real-time alerts to on-call personnel, and documenting response times to prove compliance during audits.
See how GRCWatch handles this control automatically
Start free trial