PCI Requirement 3.7 – Security Policies & Operational Procedures
PCI Requirement 3 states, “Protect stored cardholder data.” We’ve discussed encryption, truncation, masking, and hashing – all methods that can be used to protect cardholder data. We’ve talked about dual control, split knowledge, rendering data unreadable, key-custodians, PAN, sensitive authentication data – all elements that need to be understood in order to fully protect and store cardholder data. But it’s not enough just to learn and talk about these things; all policies, procedures, and standards must be implemented in order to comply with PCI Requirement 3 and to appropriately store cardholder data.
At the end of each of the PCI DSS v3.2 Requirements, we have what we like to call a “capstone.” At the end of Requirement 3, we have PCI Requirement 3.7. It states, “Ensure that security policies and operational procedures for protecting stored cardholder data are documented, in use, and known to all affected parties.” Requirement 3.7 is not only saying that your organization needs to maintain documented security policies and operational procedures; the policies and procedures need to be known and in use by all relevant parties. Your personnel must be living out what the policies, procedures, and standards require of them. It is a requirement of this framework that the affected parties use the policies and procedures as a way of managing your organization’s assets. It is not sufficient that you generate documentation just for the sake of the audit.
With this requirement, we come to the capstone for Requirement 3, which was the protection of cardholder data at rest. Requirement 3.7 requires that you have and maintain policies, procedures, and standards. These policies, procedures, and standards need to actually be in use; it’s not enough just to have them documented. You actually need to be living out what they require you to do from an organizational perspective, and that staff is knowledgeable of them. From an assessment perspective, we’re going to be looking at your policies and procedures and interviewing staff to make sure that they are subject to these policies and procedures, that they understand them, and that they’re actually living out and practicing and doing those things that they’re required to do. We’re effectively making sure that they’re known to all effected parties.