Technology can only do so much to protect an organisation from data breaches. That’s why Requirement 12 of the Payment Card Industry Data Security Standard (PCI DSS) states that organisations should actively manage their data protection responsibilities by establishing, updating and communicating security policies and procedures in response to regular risk assessments.
As with technology, security policies address vulnerabilities in what is considered an organisation’s weakest link: its staff. If employees don’t know or understand what’s expected of them, they are likely to put cardholder data at risk, regardless of any other security measures in place.
What’s in a PCI policy?
A PCI policy is a collection of written procedures and guides that state how an organisation manages its cardholder data environment (CDE). Policies might address:
- Information security: This details the organisation’s security strategy in relation to the storage, processing and transmission of credit card data. It provides a detailed outline of information security responsibilities for all staff, contractors, partners and third parties that access the CDE.
- Formal security awareness: This identifies the organisation’s responsibilities when implementing a PCI security awareness training programme intended for anyone who has access to the CDE. Staff should take this programme during their induction and repeat it at least once a year or whenever there is a security incident.
- Incident response: This is a set of instructions for detecting, responding to and limiting the effects of an information security event. Without a plan in place, organisations might not detect an attack or fail to follow proper protocol to contain it and recover.
It’s clearly important to document your policies and procedures, but it’s just as important to keep them up to date and formally approved. This can be time-consuming and challenging, so we’ve created our PCI DSS Documentation Toolkit to simplify the job.
It supports all self-assessment questionnaires, regardless of your specific payment scenario. It’s fully aligned with the PCI DSS v3.2, so you can be sure that your policies are accurate and compliant with the Standard.
The toolkit also includes a set of project management tools, such as a roles and responsibilities matrix, a gap analysis tool and a scoping guide.