What are the Required Policy and Procedure Documents for PCI DSS

As you know, cardholder data in your organization is a real goldmine for today’s cybercriminals. Regardless of how vigilant an IT team is for cardholders’ data security, everyone should take the extra step to do better. Avoiding falling victim to a costly data breach is worth every precaution.

Perhaps worse than the sudden financial loss you experience as a result of a data breach is the deterioration of customer confidence after such an event. The situation will be even worse, mainly if you are found to have missed an opportunity to avoid, detect, and respond to an attack.

It’s no secret that businesses must provide documentation to ensure everyone is on the same page, disclosing the company’s practices, and documenting non-compliance procedures. While PCI compliance documentation can be considered one of the simplest parts of the process, documentation regarding PCI compliance can be complicated and time-consuming.

See Also: How are the PCI Risk Assessment Requirements Implemented?

PCI compliance can be challenging, and a vital part of this is proper documentation. The easiest way to ensure PCI DSS compliance and documentation is to do the documentation along with the compliance requirements.

One of the most critical vulnerabilities affecting an organization is employees. Documentation helps not only to demonstrate compliance but also to implement and control safety-related practices for employees.

Why Is Proper Documentation So Important for PCI DSS?

PCI DSS compliance is not an easy route. Documentation helps identify processes by which employees and other stakeholders affect control practices. Documentation provides some degree of transparency while maintaining expectations. Formalized processes from policies to network configurations help meet requirements.

Documents should always be at the top of the list because forms are the blueprint of your protection system and processes. Employees cannot develop or implement a fair PCI compliance process without a plan. Each stage of the methods must be determined appropriately to meet and maintain PCI compliance standards.

Documentation is a critical step in defining role-based access controls and educating employees on the complexities of all processes and networking devices in the organization.

See Also: How to Implement the Security Awareness Program for PCI Compliance

Documentation also helps to maintain control of the company. The documentation provides companies with more chances to check the effectiveness of compilation, analysis, archiving controls, and a record to run when ineffective.

One of the greatest mistakes businesses make is that they are unable to recognize who has access to this type of information. While it may seem like a minor mistake, misinformation circulating within the wrong department can have huge repercussions and consequences.

What are the Documents Required for PCI DSS Compliance?

To fully comply with the PCI, three critical documentation areas are needed: policies, standards, and procedures. The most efficient documentation is written in a way that everyone in the organization can understand. Besides, the documentation should be checked regularly, along with continuous training to ensure the company is still compliant and updated as needed.

1. Policies

Policies explain what has been done by the organization. You can also think of policies as a leadership team instruction manual that clarifies and guides decision making. Policies will ensure that decisions are consistent and aligned with compliance expectations.

A unique policy should be created for each area, including internal and external traffic rules. Appropriate policies designed will help protect the cardholder’s data environment (CDE) against future threats. The policies’ existence serves as evidence of the company’s security controls and risk control processes while ensuring PCI compliance.

2. Standards

Standards describe what is required to keep successful policies in place. Clear guidelines on management practices are applied and used as a guide to determine whether the company complies with them. For this reason, the standards that each organization should comply with may differ depending on the sector and the size of the company. Various PCI Security Standards are available to assist in this process.

3. Procedures

A set of management and personnel procedures are required to enforce PCI requirements effectively. Essentially, every procedure is the steps necessary to execute a task. Documentation of every step of a process helps find anomalies and compliance gaps in the process. When determining procedures, it is essential to state which charges are ordinary, necessary, and rare.

Establishing and implementing procedures helps to minimize future system-wide threats and vulnerabilities. The risk of employees causing a security breach is reduced if employees are guided through a documented procedure. While a little challenging, it will be worth the time and effort to know that your systems are secure and that employees understand their roles.

Can Documentation Help You Strengthen Compliance with PCI DSS requirement 12?

If you have previously worked with a firm to perform a PCI DSS assessment, you probably have noticed the importance that the Qualified Security Assessors (QSA) team places on written policies, procedures, and other documents that are important to assessments.

See Also: How to Prepare Network Documentation for PCI DSS Compliance Requirements?

Your documents serve as a reference post where you and your QSAs will work during your evaluation, by the 12 requirements of the PCI DSS. Your QSAs should then follow predefined testing procedures to verify that PCI DSS controls are applied.

Comprehensive data protection principles and documentation are critical to ensuring security for your customers, stakeholders, and brand, as they demonstrate your knowledge and commitment to PCI DSS.

The documentation also indicates that you have the resources available to train your staff to meet the standards and provide a PCI compliant environment for your company as a whole.

PCI DSS Requirement 12 requires companies to develop a policy that addresses information security for all employees. As in many areas of your business, the creation and execution of documents also help protect your company from any potential liability in the event of a data breach. Easily accessible with your security policies and forms, QSAs or forensic investigators can easily see what security measures you have.

How to Develop Security Policy and Documentation Procedure to Comply with PCI DSS Requirement 12?

The best approach to drafting security policy and procedural documents for PCI DSS is to focus specifically on 12 requirements and a reference to Requirement 12. Note any criteria that may need to be discussed in security policy and documents, and then expand them by explaining them in policies and documents.

See Also: What Is Documentation Security and Why It Matters?

When you start from scratch, the thought of writing down all the policies and procedures required by PCI DSS can probably seem overwhelming. As you begin to set up your security policies and procedures, there are several issues to discuss:

• Hardening standards
• Server hardening standards
• Update and change procedures
• Vulnerability management procedures
• Data backup, retention, and data destruction policies
• Software Development Life Cycle
• User authorization and deactivation policies
• Password policies
• Anti-malware policy
• Log management policy
• The cryptographic key management process
• Physical security policies and procedures
• Employee guides
• Risk management procedure
• Proper usage policies
• Staff training procedures
• Third-party management
• Disaster recovery and incident response plans

Just as a company faces many security concerns, there are also types of security policies that cover data protection practices, emergencies, technological issues, and more. Some of these include:

• Firewall policy: This shows which firewalls are installed, how often they are changed, and who is responsible for these updates.
• Data security policy: Covers data processing and storage procedures.
• Incident response policy: Instructs staff on what to do in case of a security breach, data loss, malware detection. It is an emergency plan for your business.
• Physical security policy: Covers building security, computers, print media, and other electronic devices.
• Business continuity policy: Similar to an incident response policy that details the measures to keep the company running after an emergency or service disruption.
• Employee computer usage policy: It shows details such as which staff has access to the servers and what the staff can do with the computers.

These are the starting point ideas to help you get started on the PCI DSS requirements as they apply to your data and system.

It is equally necessary to turn to the digital side of managing your cardholder records, both you and your IT team. Below is an example of the types of system-based policies and procedures that can make the job more manageable throughout the year:

• Regularly install, apply, update and run anti-virus software.
• Use data definition software to ensure sensitive data is safe and appropriate where it is adequately protected or deleted.
• Use encryption tools for maximum protection on all devices and in the cloud.
• Install updates as soon as possible after a vulnerability is found and keep track of any issues and the dates they occurred.
• Grant access to network cardholder files on a need-to-know basis only.
• Carefully consider any third party access to your network. Grant and monitor access only as long as it takes to complete. Immediately disable access if done.

Your approach to processing cardholder data is key to keeping it safe under your protection. On the human side, you should only set a few policies and procedures that follow:

• Treat cardholder data confidentially.
• Securely delete all data that is unnecessary to do business in any form, such as paper or electronic.
• Create a response to credit card data received via e-mail, such as contacting the IT department immediately to delete the e-mail from the system where it is vulnerable. Also, develop a plan by contacting the e-mail sender to notify you that you do not confirm such information by e-mail due to cardholder data risk.
• If you appear with a card data open, mask the cardholder account numbers.
• Restrict employee access to CHD on a need-to-know basis, electronically or through paper documents.

What Documents Do I Need for PCI DSS Compliance?

To stay one step ahead of the game in your quest for PCI DSS compliance, we have listed all the required per requirement documentation in our PCI DSS Documentation Checklist.

It can seem like a daunting list when you don’t think about the impact of documentation on your IT and PCI environments. The good news is that when the auditor asks you to have documents on these various conditions, you now have a strategy to help you get started!

The PCI DSS document checklist will help you track the high-level, quarterly, semi-annual and annual requirements outlined in the PCI Data Security Standard. There is a slight difference in the Merchants and Service Providers’ list as the requirements are slightly different for the two.

PCI DSS REQUIREMENT 1 – Firewall and router configurations.

• Firewall and router configuration
• Network Diagram
• Data Flow Chart
• Network Policy
• Firewall Rule Set Review Analysis

See Also: PCI DSS Network and Data Flow Diagrams

PCI DSS REQUIREMENT 2 – Document configuration parameters and include PCI security best practices.

• Hardening Configurations
• Inventory of system components
• Data Retention and Destruction Policy
• Data Storage and destruction process

PCI DSS REQUIREMENT 3 – Protect keys from disclosure and misuse.

• Disk Encryption Management
• Key Management Policy
• Key Management Process
• Key Custody Responsibility – Acceptance Form

PCI DSS REQUIREMENT 4 – Use strong cryptography and secure protocols when transferring cardholder data.

• Network Policy
• Hardening Configurations and Firewall and Router Configurations

PCI DSS REQUIREMENT 5 – Document and enforce anti-virus policy

• Anti-virus Policy

PCI DSS REQUIREMENT 6 – Document change control processes and procedures. Document safe software development procedures.

• Infrastructure Change Process
• Software development policy
• Software development process
• Security Test Process
• Secure software development process

PCI DSS REQUIREMENT 7 – Written access control policy that limits access to system components and cardholder data.

• Access Control Policy

PCI DSS REQUIREMENT 8 – Policies and procedures for user identity management controls.

• Access Control Process
• Duties and Responsibilities

PCI DSS REQUIREMENT 9 – Documented facility controls to limit and monitor physical access to systems.

• Physical Access Policy
• Physical Access Process
• Physical Safe Storage Policy
• Physical Safe Storage Process
• Inventory of devices capturing the payment card data process
• Periodically examine the devices that capture the payment card data process.
• Security awareness training on attempts to replace devices that capture payment card data

PCI DSS REQUIREMENT 10 – Audit logs for all system components in the cardholder data environment.

• System Monitoring Policy
• System Monitoring Process

PCI DSS REQUIREMENT 11 – Documented evidence of internal and external network vulnerability scans and penetration testing.

• Wireless Scanning Process
• Authorized Wireless Access Points Inventory
• Internal Network Vulnerability Scans
• External Network Vulnerability scans (ASV)
• External Penetration Test Report
• Internal Penetration Test Report

PCI DSS REQUIREMENT 12 – Evidence of security policy created, published, maintained, and distributed to all relevant personnel.

• Security Policy
• Risk assessment
• Usage Policies
• Security Awareness Program
• Management Services Providers Process
• Incident Response Plan
• Duties and Responsibilities
• HR Policy

You can find the general list of documents that may be required for a PCI DSS audit above. Note that this list may change depending on the PCI environment implementation and job type.