Guide to PCI Policy Requirements

by Sarah Harvey / July 25th, 2019

Introduction to the 12 PCI Requirements

The purpose of the PCI DSS is to ensure that all of that data that lives within the cardholder data environment (CDE) is protected and secured from theft or unauthorized use. If you are a merchant, service provider, or subservice provider who stores, processes, or transmits cardholder data, you are subject to comply with the PCI DSS but doing so may seem daunting. Why? Because the PCI DSS has almost 400 controls, 6 control objectives, and 12 major subject areas, and many organizations struggle with the documentation aspect of a PCI assessment. However, established best practice states, “If it’s not written down, it’s not happening.” Organizations need documented policies, procedures, and standards to control risks to business assets, but to also have a common understanding and language that creates consistency amongst your organization.

What Should a PCI Policy Include?

Depending on your unique services, industry, legal requirements, or other frameworks outside PCI that you must comply with, there will be various topics that your information security policies should cover. The PCI DSS does a good job, though, of outlining which policies you absolutely need to begin a baseline set of PCI-compliant policies.

Here are some suggested topics that a PCI policy might include:
  • Firewall Configuration Standards and Operational Procedures
  • Operational Procedures for Managing Firewalls
  • Operational Procedures for Managing Vendor Defaults and Other Security Parameters
  • Data Retention and Disposal Policies
  • CHD Storage and Protection Policies
  • Encryption Key Management Policies and Operational Procedures
  • Operational Procedures for Encrypting Transmissions of CHD
  • Anti-Virus and Malware Software Policies
  • Security Patch Installation Policies

This list serves as an overview of what policies and procedures should be documented and implemented when pursing PCI compliance, and it is not an all-encompassing list. For more information on the specific details of what needs to be included in each policy or procedure, we encourage you to review the current PCI DSS or contact your QSA.