PCI Policies, Procedures and Evidence – What is expected?
PUBLISHED on
8 Aug
2022
Table of Contents
While it’s one of the areas that IT and security departments find challenging, documentation (and compliant evidence) is what makes for a happy and satisfied PCI Qualified Security Assessor (QSA), and, more importantly, a successful PCI compliance audit! Successful compliance programmes invariably depend on the accurate and consistent recording of events and the adherence to well-defined policies and procedures.
These documents ensure all staff are aware of their obligations, as well as defining the necessary actions to ensure a secure and compliant environment is achieved. With a number of PCI requirements, certain documents will need to be reviewed periodically or the instructions contained therein carried out at specific intervals.
If the actions in question (i.e. firewall rule reviews / external vulnerability scans) are not performed as instructed, the entire compliance initiative may be jeopardised. Organisations are well-advised to analyse their documentation and evidentiary requirements and summarise these centrally, where the content and resulting actions can be tracked.
Security policies and procedures are not a new concept and, coupled with the multitude of security standards that have been developed over the past few decades, there’s no need to start from scratch and be overly creative.
As long as the documents are clear, concise, deliver the intended message, are customised to the environment in question and elicit the necessary behaviour, the document set will achieve the desired outcome. It is essential that you ensure all PCI control statements which require explicit documentation are included in the relevant documents. This will save you both time and resources when addressing this necessary, albeit challenging, task.
The list of documents and evidence artefacts that act as the baseline for achieving compliance with the PCI DSS is very extensive.
Not all documents will be obligatory for all organisations, however, a significant number will need to have been implemented in order for a successful outcome to be achieved. If these documents, procedures and activities geared towards producing the necessary evidence are in place, you are well on the way to attaining compliance. To illustrate the type of documents and evidence (by no means exhaustive!) you will typically need to develop and implement, here is starter for ten!:
Documents
- Network device management policy
- Wireless scanning procedure (rogue access points)
- Remote access policy (staff/vendor)
- Device configuration standards
- Visitor policy
- Operational security procedures
Evidence
- Network diagrams
- Dataflow diagrams
- Incident response test
- Role-based access matrix
- Vulnerability scans
- Risk register
- Third party contracts (soft copy)
find OUT more on:
How URM can help?
Cyber
Rapid Penetration Test Quote
Do you need support in meeting your annual PCI DSS penetration testing requirements? CREST-accredited URM can complete internal and external penetration tests for your organisation.
Read more
Cyber
Do you need support in meeting your annual PCI DSS penetration testing requirements?
As a CREST-accredited penetration testing organisation, URM can complete internal and external penetration tests.
Read more
Consultancy
Are you looking for a PCI QSA?
As a long-established PCI QSA, URM is able to deliver a full PCI QSA-led audit and produce a report on compliance (RoC) as well as deliver a full QSA-led self-assessment questionnaire (SAQ)
Read more
URM holds free seminars and webinars for end-user organisations focusing on information security.
Find out more
related BLog posts
Information Security
Published on
22/3/2024
Common Questions When Preparing to Transition to PCI DSS v4.0URM’s blog answers key questions about the practicalities of PCI DSS v4.0 transition assessments and how you can best prepare for a successful v4.0 transition.
Read more
Information Security
Published on
8/8/2022
Preparing for a Report on Compliance (ROC)There’s no getting away from the fact that preparing for a PCI DSS ROC can be a bit of a trial....
Read more
Information Security
Published on
21/6/2022
PCI SSC Remote Assessment Guidelines and ProceduresWe address a number of key questions: What are the Main Contents? What Led to it Being Published? And others.
Read more
URM's diligence during these audits has resulted in the business as a whole pulling together to collectively ensure that we up to par with the requirements. While our working relationship with URM’s consultant is fantastic, we are held to account for every bullet point of every requirement on every audit, which is precisely what we expect. The consultant’s efforts in ensuring that our PCI compliance is audited correctly is highly appreciated, as it gives the company an accreditation that we can be proud of and that we can show off to existing and prospective customers as proof of our security posture. A huge thank you to URM for providing such a valuable service.
Open Banking Platform
contact US
Let us help you
Let us help you in your compliance journey by completing the form and letting us know how we can best support you.
