GRCWatch
Sign inStart free trial

PCI DSS 12.10.3: Designate 24x7 Incident Response Personnel

Payment card data breaches don't wait for business hours—neither should your incident response. PCI DSS 12.10.3 requires your organization to have specific personnel available round-the-clock to detect, investigate, and respond to suspected or confirmed security incidents. This control ensures you can respond immediately when a breach occurs, minimizing damage and meeting compliance obligations.

What this means

This control mandates that you designate specific individuals or teams who are contractually or employment-obligated to be available 24 hours a day, 7 days a week to respond to security incidents. These personnel must have the authority, knowledge, and access to take immediate action when a breach is detected—whether through automated alerts, customer reports, or internal discovery. The requirement isn't that one person covers all hours; instead, you need documented coverage schedules, backup responders, and clear escalation procedures to ensure no incident goes unaddressed due to unavailable staff.

How to comply

  1. 1.Identify and formally designate incident response personnel with explicit 24/7 availability requirements in their job descriptions or contracts
  2. 2.Create a documented on-call schedule that ensures coverage across all time zones and holidays with primary and backup responders
  3. 3.Define clear incident response roles, responsibilities, and decision-making authority for each designated person
  4. 4.Ensure designated personnel have access to incident detection systems, logging platforms, and communication channels at all times
  5. 5.Establish escalation procedures and contact information (phone, email, messaging) for reaching responders outside normal business hours
  6. 6.Train all designated personnel on incident identification, initial response procedures, and when to escalate to management or external resources
  7. 7.Review and update 24/7 coverage arrangements quarterly or whenever personnel changes occur
  8. 8.Document proof of availability through signed acknowledgments, on-call agreements, or RACI matrices

Evidence auditors look for

  • On-call schedule showing 24/7 coverage with named personnel and their contact information
  • Job descriptions or employment contracts explicitly requiring 24/7 incident response availability
  • Incident response policy documenting designated responders and their roles
  • Call log or RACI matrix showing incident response team structure and backup coverage
  • Training records confirming designated personnel completed incident response procedures training
  • Evidence of testing (incident response drills) showing designated personnel can be reached and respond
  • Escalation procedures document with names, titles, and contact information
  • Communication system access logs or VPN records demonstrating responders can access systems outside business hours

Frequently asked questions

When will FAQs be available?

The FAQ for this control is currently being prepared.

GRCWatch automates incident response tracking and scheduling, maintaining your 24/7 coverage matrix in one place, sending real-time alerts to on-call personnel, and documenting response times to prove compliance during audits.

See how GRCWatch handles this control automatically

Start free trial

Related controls

PCI DSS 12.10.1 — Establish Incident Response ProceduresPCI DSS 12.10.2 — Establish Incident Response ContactsPCI DSS 12.10.4 — Investigate and Report IncidentsPCI DSS 12.10.6 — Develop Post-Incident Response Plans