Meeting the PCI DSS (Payment Card Industry Data Security Standard) requirements involves drafting detailed data protection policies and documentation to ensure security for your customers, stakeholders and your brand. From policy to procedure to configuration standard, a significant proportion of PCI DSS compliance begins with documentation.
Nearly one in five data breaches caused by human error
Verizon’s 2018 Data Breach Investigations Report identified that almost one in five data breaches (17%) were the result of human error.
Policies play an important role in protecting data and are the foundation of your information security, providing direction and instruction for your weakest link – people. If your employees don’t know or understand what’s expected of them, they can put cardholder data at risk, regardless of any other security measures you have in place.
What’s in a PCI policy set?
PCI DSS compliance requires that all merchants and service providers document the processes and procedures they put in place. These policies and procedures can then serve as a guide, following the 12 requirements of the PCI DSS, from which you and your QSA (Qualified Security Assessor) can work during your assessment. The policies might address:
Information security: This details the organisation’s security strategy in relation to the storage, processing and transmission of credit card data. It provides a detailed outline of information security responsibilities for all staff, contractors, partners and third parties that access the CDE (cardholder data environment).
Formal security awareness: This identifies the organisation’s responsibilities when implementing a PCI security awareness training programme and is intended for anyone who has access to the CDE. Staff should take this programme during their induction and repeat it at least annually or whenever there is a security incident.
Incident response: This is a set of instructions for detecting, responding to and limiting the effects of an information security event. Without a plan in place, organisations might not detect an attack or might fail to follow proper protocol to contain it and recover. Nothing here should surprise an experienced security professional. The policy requirements are basic information security best practices. Therefore, we advise structuring your PCI policy set alongside the development of your core information security policy.