Introduction

Note: This sample is meant to demonstrate how the PCI-DSS might be employed directly to generate a policy. It would require significant adaptation to be deployed successfully in an actual card processing environment. Individual requirements from the PCI-DSS are denoted in parentheses. These annotations may be removed, should you choose to adapt this sample policy to make it suitable for your use.

Want a Word document copy of the entire policy template? Sign up for the PCI DSS Guru newsletter and receive a free copy that you can edit and use in your organization!

Issue Date: xx/xx/xxxx
Reviewed: xx/xx/xxxx

Policy Statement

(12.1.1) All card processing activities and related technologies must comply with the Payment Card Industry Data Security Standard (PCI-DSS) in its entirety. Card processing activities must be conducted as described herein and in accordance with the standards and procedures listed in the Related Documents section of this Policy. No activity may be conducted nor any technology employed that might obstruct compliance with any portion of the PCI-DSS.

(12.1.3) This policy shall be reviewed at least annually and updated as needed to reflect changes to business objectives or the risk environment.

Applicability and Availability

This policy applies to all employees: full-time and part-time, temporary and personnel, and contractors and consultants who are “resident” on site. (12.1) Relevant sections of this policy apply to vendors, off-site contractors, and business partners. The most current version of this policy is available (at X URL or through Y office).

Policy Requirements

• Adherence to Standards

• Handling of Cardholder Data

• Access to Cardholder Data

• Critical Employee-facing Technologies

• Roles and Responsibilities

• Related Documents

  • Standards
  • Incident Response Plan
  • Procedures

In this article, I review the Payment Card Industry Data Security Standard (PCI-DSS) policy requirements and provide a policy framework, including a PCI DSS sample policy that uses the framework.

Want a Word document copy of the entire policy template? Sign up for the PCI DSS Guru newsletter and receive a free copy that you can edit and use in your organization!

Getting Started

The best advice regarding policy creation is: don’t over engineer it!  The policy document should be a definitive guide to conduct, but should not include the implementation details (i.e., procedures).  It may make reference to standards, but it should not contain those standards.
(continue reading…)

There’s a lot of talk about section 11.3 of the Payment Card Industry Data Security Standard (PCI DSS), requiring organizations to conduct penetration tests.  The language in this section of the standard reads:

11.3 Perform penetration testing at least once a year and after any significant infrastructure or
application upgrade or modification (such as an operating system upgrade, a sub-network added
to the environment, or a web server added to the environment). These penetration tests must
include the following:
11.3.1 Network-layer penetration tests
11.3.2 Application-layer penetration tests

When the standard first came out, the vagueness of this requirement caused quite a bit of confusion among compliance professionals attempting to understand how they’ll be held accountable by their merchant banks.

(continue reading…)