PCI DSS 12.10.2 – Testing Your Incident Response Plan

When it comes to PCI DSS, simply having an incident response plan (IRP) isn’t enough—you also need to prove it works. Requirement 12.10.2 requires that organizations test and review their incident response plan at least once every 12 months.

Why? Because periodic testing ensures that your plan is still viable, up to date, and that your personnel know exactly what to do if a real payment card data breach occurs.

What Counts as Testing?

The testing can take different forms, but the most common approach is a tabletop exercise.

What is a Tabletop Exercise?

A tabletop exercise is a structured discussion where key staff walk through a simulated incident scenario—such as a payment card data breach—in a meeting-style environment. Unlike a full-scale simulation, it doesn’t involve live systems or “hands-on” activities. Instead, it focuses on decision-making, communications, and testing whether policies and procedures actually work when put under pressure.

Tabletop exercises are particularly useful because:

• They can be run with minimal resources.
• They encourage cross-departmental collaboration.
• They highlight gaps in communication and process before a real incident occurs.

Key Considerations for PCI DSS Compliance

When planning your 12.10.2 incident response testing, keep these points in mind:

• Cover all of Requirement 12.10.1
  Your exercise must address every component of your incident response plan—not just a subset. This includes detection, containment, communication, escalation, and recovery.
• Simulate a real cardholder data breach
  Your QSA will want to see that you tested a real-world payment card data breach scenario—not a simple “system outage” or “break/fix” exercise. The purpose is to validate how your team handles an actual compromise of card data.
• Use it as training under 12.10.4 (if applicable)
  If you intend to use this exercise to meet the training requirement of 12.10.4, ensure that all relevant personnel are present. This means not just IT staff, but also compliance officers, legal, HR, communications, and executive management where appropriate.

Sample Tabletop Exercise Scenario

Here’s a simple framework you can adapt for your own 12.10.2 testing:

Scenario:
Your security operations team detects unusual outbound network traffic from a payment application server. Investigation shows evidence of unauthorized access to cardholder data.

Discussion Prompts:

1. Detection: How was the incident discovered? Was it through logs, alerts, or staff reports? Are we confident that we would be able to detect an attack with our current logging and alerting system or are there gaps that we should address?
2. Containment: What steps should be taken immediately to isolate the affected system(s)? Who authorizes this?
3. Escalation: Who is notified first—compliance, IT, executive management, acquirer/processor? How fast? DO we need to engage a PCI Forensic Investigator? 
4. Communication: How are internal teams, third parties, and potentially customers informed? Who approves messaging? 
5. Evidence Handling: How is forensic evidence preserved without contaminating it? Are we allowed to do this or should a PFI be handling this?
6. Legal/Regulatory: When does legal counsel get involved? What about law enforcement? Are we required to notify any government or industry bodies? 
7. Recovery: How is the compromised system rebuilt or restored safely?
8. Post-Incident: What lessons learned are documented, and how does the IRP get updated?

Goal: By walking through these questions, your team demonstrates that the incident response plan addresses all aspects of PCI DSS 12.10.1 and that staff know their roles under pressure.