How to Draft Policy & Procedure Documentation: PCI DSS Requirement 12
As you know, your company’s cardholder data is a veritable goldmine for today’s cybercriminals. Go Anywhere suggests that major data breaches like those perpetrated against like Home Depot, Office of Personnel Management (OPM) and TJX Companies could have possibly been avoided with stronger Payment Card Industry Data Security Standards (PCI DSS) compliance.
No matter how diligent an IT team is when it comes to cardholder data protection, everyone can take an extra step to do better. It is worth every precaution to avoid becoming the victim of a highly costly data breach.
Even worse than the immediate financial losses you stand to suffer from a data breach is the erosion of consumer trust that such an event can cause, particularly if it is discovered that you missed the opportunity to prevent, detect and respond to an attack with drum-tight PCI DSS compliance.
Can Drafting Security Policy and Documentation Help You Improve PCI DSS Requirement 12 Compliance?
If you have ever worked with an auditing firm to perform a PCI DSS assessment, you probably noted the emphasis that your team of Qualified Security Assessors (QSA) placed on having prepared written policies, procedures and other documents essential to assessments.
Your documentation serves as a guidepost, in accordance with the 12 requirements of PCI DSS, from which you and your QSAs can work during your assessment. Your QSAs will then follow pre-defined testing procedures to further verify that your controls have been implemented according to the PCI DSS.
The step of drafting fully detailed policy and documentation for data protection is important to improved security for your customers, stakeholders and brand because it reveals your understanding and commitment PCI DSS. It also shows that you have the tools needed to train your employees to follow the requirements and for your whole organization to maintain a PCI-compliant environment.
Requirement 12 of PCI DSS calls for businesses to “maintain a policy that addresses information security for all personnel.” As with so many aspects of your business, maintaining documentation also helps protect your business from any possible liability in the event of a data breach against your business’s data. With your security policy and documentation readily available, your QSAs or forensic investigators—in case of a data breach—can easily see what security measures you have in place.
How to Draft Security Policy and Create Procedure Documentation To Fulfill PCI DSS Requirement 12?
The best way to draft security policy and create procedure documentation for PCI DSS is to rely on the 12 requirements—and requirement 12, in particular—as a guide. Take note of all requirements that may need to be addressed in the security policy and documentation then extract them to expand your discussion about them in your policies and documentation to show your commitment to good stewardship from the outset.
Security Metrics offers a series of matters that are important to address as you launch your security policies and procedures project:
- Firewall configuration and hardening standard
- Server workstation hardening standards
- Data retention and data disposal policies
- Software development life cycle
- User provisioning and de-provisioning policies
- Password policies
- Physical security policies and procedures
- Employee manuals
- Appropriate use policies
- Staff training procedures
- Third-party management
- Disaster recovery and incident response plans
These are ideas are simply a good starting point to help you start combing through the PCI DSS requirements as it pertains to your own data and system.
Inspired by Rice University’s Template for Departmental Procedures Related to PCI DSS, following are more detailed examples of what you may create after reviewing the requirements and everything else necessary to include in your own policies and procedures for data security.
Draft a Section on Data Handling
Cardholder data and your approach to its handling are paramount to your keeping it safe under your guardianship. Following are just a few policies and procedures that you can lay out on the human side:
- Treat cardholder data as confidential.
- Safely eliminate any data in any format, such as paper or electronic, that is not completely necessary to conduct business.
- Develop a response to credit card data received via email, such as contacting the IT department right away to eliminate the email from the system where it is vulnerable. Further, create a plan to notify the email sender to let them know that you do not accept such information via email due to the risk to their cardholder data.
- Mask cardholder account numbers any time that a card is displayed.
- Restrict access to cardholder data to employees on a need-to-know basis, whether electronically or via paper file.
System Configuration and Security
It is just as important that you and your IT team tend to the digital side of shepherding your cardholder data. Explore a sampling of the types of system-based policies and procedures that will make your work easier throughout the year:
- Install, implement, regularly update and run antivirus software at regular intervals.
- Use data detection software to ensure that all confidential data is secure and properly secured or deleted, as necessary.
- Employ encryption software for optimal security across all devices and in the cloud.
- Install vendor patches as soon as possible after a problem is detected, as well as keeping a log of any problems and corresponding dates of when they arise.
- Access to cardholder files in the system is provided to staff on a “need-to-know” basis only.
- Carefully consider any third-party access to your system for external vendors. If granted, only allow access for the time needed to complete a specific task that is logged in detail. Once the task is completed, instantly disable access.
I.S. Partners Can Help You Develop a Detailed Security Policy And Documentation For Perfect Compliance
Our skilled and seasoned QSAs can help you review the PCI DSS and its 12 requirements, as well as your own business, to come up with a tailored security and documentation to keep you on track for perfect compliance for the best cardholder data protection.