PCI Policies, Procedures and Evidence

Documentation and compliant evidence pose a challenge for IT and security departments, but they are crucial for satisfying PCI DSS compliance and PCI Qualified Security Assessors (QSAs) and ensuring a successful PCI compliance audit. The effectiveness of PCI DSS compliance programs relies heavily on accurately and consistently recording events, as well as adhering to well-defined policies and procedures.

These documents play a vital role in informing staff about their responsibilities and outlining the necessary actions to create a secure and compliant environment. Some PCI requirements necessitate periodic review of specific documents or the execution of instructions at designated intervals. Failure to carry out required actions, such as firewall rule reviews or external vulnerability scans, can jeopardize the entire compliance initiative. To mitigate this risk, organizations are advised to centrally analyze their documentation and evidentiary needs, summarizing them in a way that allows for easy tracking of content and resulting actions.

Security policies and procedures are not a new concept, and with the abundance of established security standards developed over the past few decades, there is no need to reinvent the wheel. As long as the documents are clear, concise, effectively convey the intended message, are tailored to the specific environment, and encourage the necessary behaviors, they will achieve the desired outcome. It is crucial to ensure that all PCI control statements requiring explicit documentation are included in the relevant documents, as this will save time and resources when tackling this necessary yet challenging task.

While not all documents will be mandatory for every organization, a considerable number must be implemented to achieve a successful outcome in a PCI DSS audit. By having these documents, procedures, and activities in place to produce the required evidence, organizations are well on their way to achieving PCI DSS compliance. To give you an idea of the types of documents and evidence (although not an exhaustive list) typically needed to be developed and implemented for a PCI DSS audit, here are some examples to start with:

DOCUMENTS

• Policy for managing network devices. This policy outlines how network devices, such as routers, switches, and firewalls, are to be configured, monitored, and managed to ensure the security and integrity of cardholder data (CHD) and sensitive information. It might cover topics like access controls, regular reviews of device configurations, and change management processes.

• Procedure for scanning wireless networks to detect rogue access points. This procedure describes the process for conducting regular scans of wireless networks to identify any unauthorized or rogue access points. It includes details on the frequency of scans, tools used, and steps for addressing any identified issues promptly.

• Policy for remote access, applicable to staff and vendors. This policy governs how remote access to the cardholder environment is granted and managed. It outlines the requirements for secure remote connections, authentication methods, access controls, encryption, and regular reviews of remote access accounts to prevent unauthorized access.

• Standards for configuring devices. These standards provide guidelines for configuring various devices within the cardholder environment, such as servers, databases, and applications. They cover settings related to security, such as password policies, encryption, and disabling unnecessary services.

• Policy for managing visitors. This policy addresses the management of visitors to facilities where cardholder data is processed, stored, or transmitted. It includes procedures for visitor registration, identification, access controls, and monitoring to ensure that only authorized individuals have access to sensitive areas.

• Procedures for operational security. These procedures encompass a wide range of security practices that are implemented to maintain the ongoing security and compliance of the environment. This could include guidelines for patch management, antivirus updates, system configuration reviews, and monitoring of security events.

EVIDENCE

1. Network diagrams

2. Dataflow diagrams

3. Incident response test

4. Role-based access matrix

5. Vulnerability scans

6. Risk register

7. Third party contracts (soft copy)