Drafting detailed data protection policies and documentation is vital for improving security for your customers, stakeholders and brand because it shows your understanding and commitment to the PCI DSS (Payment Card Industry Data Security Standard). From policy, to procedure, to configuration standard, a significant proportion of PCI DSS compliance begins with documentation.
Deploying security technologies can only go so far in protecting an organisation and helping maintain compliance.
Nearly 1 in 5 data breaches caused by human error
Verizon’s 2018 Data Breach Investigations Report identified that almost 1 in 5 data breaches (17%) were the result of human error.
Policies are needed to address the weak link in security – people. If your employees don’t know or understand what’s expected of them, they can put cardholder data at risk, regardless of the other security measures you have in place. Policies play an important role in securing data. They are the foundation for everything else as they provide direction and instruction, and assign responsibility.
What’s in a PCI policy set?
PCI DSS compliance requires that all merchants and service providers document the processes and procedures they put in place. These policies and procedures can then serve as a guide, following the 12 requirements of the PCI DSS, from which you and your QSA (Qualified Security Assessor) can work during your assessment.
The policies might address:
Information security: This details the organisation’s security strategy in relation to the storage, processing and transmission of credit card data. It provides a detailed outline of information security responsibilities for all staff, contractors, partners and third parties that access the CDE (cardholder data environment).
Formal security awareness: This identifies the organisation’s responsibilities when implementing a PCI security awareness training programme and is intended for anyone who has access to the CDE. Staff should take this programme during their induction and repeat it at least annually or whenever there is a security incident.
Incident response: This is a set of instructions for detecting, responding to and limiting the effects of an information security event. Without a plan in place, organisations might not detect an attack or fail to follow proper protocol to contain it and recover.
Nothing here should surprise an experienced security professional. The policy requirements are basic information security best practices. Therefore, when structuring your PCI policy set we advise doing so alongside the development of your core information security policy.
To gain a greater understanding of how to develop PCI policies, join our QSAs to learn:
- The differences between a policy, a form and a procedure;
- How to identify which policies and clauses you need to address; and
- How to clearly state the tasks and responsibilities your organisation has when handling payment card data.