The Payment Card Industry Data Security Standard (PCI DSS) requires organisations to prove their compliance with the Standard with appropriate policies and documentation. For service providers, this will include a PCI DSS charter.
Simply put, a charter is a formal assignment of authority and responsibility.
Key elements of a PCI DSS charter
Requirement 12.4.1 of the Standard states that executive management must define “a charter for a PCI DSS compliance program and communication to executive management”.
A PCI DSS charter is best practice for service providers until 31 January 2018, after which it will become a requirement.
The PCI DSS specifies that the overall responsibility for the organisation to maintain compliance is assigned to executive management. Therefore, executive management should be involved in designing the charter and assigning responsibilities.
The PCI DSS charter should define the following:
- What initiated the project?
- What is being done for whom?
- What is the project objective?
- What is the project completion criteria?
- What are the success parameters?
- What is the budget?
- What are the major milestones and target dates?
- Who are all the stakeholders?
- What are the dependencies?
- What are the perceived risks and contingencies?
The PCI DSS charter needs to be signed by the person(s) in executive management who has been assigned overall responsibility for maintaining compliance, which will demonstrate that the charter has been communicated to executive management.
Help creating a PCI DSS charter template
Below is an example of what a PCI DSS charter might look like, setting out the commitment of executive management to preserve the confidentiality, integrity and availability of assets in compliance with the PCI DSS.
Developed by a leading PCI Qualified Security Assessor (QSA) , the PCI DSS Documentation Toolkit contains customisable documentation templates, including a PCI DSS charter (above), for you to easily apply to your organisation’s PCI DSS activities.
Using the toolkit can help speed up what is often a time-consuming task in your PCI DSS compliance project.
The PCI DSS Documentation Toolkit includes:
- A complete set of mandatory and supporting documentation templates that are easy to use, customisable and fully PCI DSS-compliant;
- Helpful dashboards and gap analysis tools to ensure your organisation meets all the requirements of the Standard; and
- Direction and guidance from a leading QSA.