Any organisation that handles payment cards, including debit and credit cards, must meet the 12 requirements of the PCI DSS directly or through a compensating control.
A compensating control can be applied when an organisation can demonstrate that it has sufficiently mitigated the risks associated with the requirement. Compensating controls must always be approved on a case-by-case basis by a PCI QSA.
The 12 requirements consist of a set of detailed security controls that enable businesses to protect credit card data. The PCI DSS requires that all merchants and service providers fully document and implement the relevant processes and procedures for each of these requirements.
PCI DSS features changes across all of its 12 requirements, including modifications to the rules on penetration testing, service provider responsibilities, password and credential requirements, and malware detection, to mention a few.
The evolving Requirements 11.3 and 11.4 of PCI DSS also mandate that organisations implement and document a penetration testing methodology to verify that the cardholder data environment (CDE) is properly segmented from other networks.
Documentation forms a key part of PCI DSS compliance
Documentation (in the form of policies, procedures, checklists and supporting forms) is an integral part of a PCI DSS compliance programme. Compiling these policies and procedures can be a time-consuming and challenging task. Documentation must support all applicable PCI requirements and provide practical operational guidelines for anyone working with payment card data.
For instance, Requirement 11 of the PCI DSS states that organisations should “regularly test security systems and processes”. Requirement 11 has 12 sub-requirements, all of which require documented evidence that controls have been effectively implemented.
The IT Governance PCI DSS Documentation Toolkit provides you with all the policies, procedures and work instructions you need to achieve compliance with the Standard. Containing an extensive list of policies and procedures appropriate for the PCI DSS , it can save you hours of work and expensive consultancy fees.
In addition to the policies and procedures, the toolkit includes a set of project management tools, such as a roles and responsibilities matrix, a document checker, a gap analysis tool, a scoping guide and encryption key management guide, in addition to several other resources. All of the templates have been designed from a PCI audit perspective by a qualified PCI QSA, and can easily be customised.
Sample of the Document Checker in the PCI DSS Toolkit
(Includes guidance on which documents are relevant to which SAQs.)
View the full contents of the PCI DSS Toolkit here.
A documentation toolkit can help make PCI certification fast and simple. Significantly reduce the amount of effort you spend keeping your business PCI-compliant – purchase the toolkit today.
IT Governance is an authorised PCI Qualified Security Assessor (QSA), supplying the full range of PCI compliance and assessment products and services. Contact us today for a gap analysis to receive an interim assessment prior to a QSA audit.