How to document PCI DSS-compliant policies and procedures – with template example

Technology can only do so much to protect an organisation from data breaches. That’s why Requirement 12 of the PCI DSS (Payment Card Industry Data Security Standard) instructs organisations to implement policies and procedures to help staff manage risks.

Employees introduce many risks into businesses that technology simply can’t prevent. Misconfigured databases, email attachments sent to the wrong person and records that are improperly disposed are common examples the ways staff compromise information.

These are the kinds of risks that a PCI DSS policy can help prevent.

What you should include in a PCI DSS policy

A PCI policy is a collection of written procedures and guides that state how an organisation manages its CDE (cardholder data environment). It should address:

  • Information security: This details the organisation’s security strategy in relation to the storage, processing and transmission of credit card data. It provides a detailed outline of information security responsibilities for all staff, contractors, partners and third parties that access the CDE.
  • Formal security awareness: This identifies the organisation’s responsibilities when implementing a PCI security awareness training programme intended for anyone who has access to the CDE. Staff should take this programme during their induction and repeat it at least once a year or whenever there is a security incident.
  • Incident response: This is a set of instructions for detecting, responding to and limiting the effects of an information security event. Without a plan in place, organisations might not detect an attack or fail to follow proper protocol to contain it and recover.

Fast-track your documentation process

Policies and procedures only work if they are regularly reviewed and updated to ensure they work as intended. This can be time-consuming and challenging, so we’ve created our PCI DSS Documentation Toolkit to simplify the job.

This toolkit includes all the template documents you need to ensure complete coverage of your PCI DSS requirements.

Below is an example of one of the customisable templates in our Documentation Toolkit:
Screenshot of one of our PCI DSS template documents

It contains all the information you need to ensure PCI DSS compliance; all you need to do is fill in the sections that are relevant to your organisation.

The toolkit also contains a document checker to help you select and edit the appropriate policy, so that you can create and amend documents as needs arise.

The toolkit supports all self-assessment questionnaires, regardless of your specific payment scenario. It’s fully aligned with the PCI DSS, so you can be sure that your policies are accurate and compliant with the Standard.

Find out more


A version of this blog was originally published on 13 November 2017.