Sample PCI DSS Policy Updated

We’ve recently updated our sample PCI DSS policy to reflect the changes in PCI DSS version 3.2.  You may view the sections of the sample policy at:

If you’d like to get a free license to use this policy in your organization as well as a downloadable copy in Word format, simply subscribe to our free newsletter.

PCI DSS Service Providers – A Definition

In the early days of PCI DSS, I recall having many conversations with vendors of payment applications and card-related services in which we spent hours persuading and educating providers about their new obligations.  This was before the Payment Application Data Security Standard (PA DSS), which gave us something more concrete to point to in these situations.

Thankfully, these conversations now are a rarity.  However, as the banks extend their compliance focus to level three and four merchants, who may rely on locally grown applications and services, situations still may arise where a vendor does not know about PCI or PA DSS.  Or the vendor simply may not consider their service subject to the standards.

For that matter, you may wonder if you are a service provider yourself!  Many organizations make use of multiple merchant accounts for a variety of legitimate business reasons.  In such circumstances, organizations may wrestle with this question.*

So, how does service provider compliance relate to merchant compliance?  And how is service provider status determined?

(continue reading…)

Is a corporate service organization a Service Provider under PCI even if it is internal?

A reader recently submitted the following question to Ask PCI DSS Guru:

“A corporate service organization stores, processes, or transmits cardholder data on behalf of different departments. Each department is a merchant and there are thirty merchants . Is the corporate service organization a Service Provider under PCI even [if] it is internal?”

We saw this question arise about three years ago for a large institution (having just over 40 merchant accounts and over a dozen payment systems).  We maintained (and the institution’s acquiring bank agreed) that because the merchant accounts belonged to a single entity the services provided by that entity to its internal constituents did not make that organization a service provider.

Obviously, all of those merchant accounts were still in scope for PCI DSS and each system had to be certified compliant.  Here is another post that elaborates on the definition of a service provider under PCI.

Sample PCI-DSS Policy Part 6: Roles and Responsibilities

Want a Word document copy of the entire policy template? Sign up for the PCI DSS Guru newsletter and receive a free copy that you can edit and use in your organization!

12.2.a Will maintain daily operational security procedures consistent with this the PCI-DSS, including administrative and technical procedures for each of the requirements

(12.5) Chief Security Officer (or equivalent) is responsible for overseeing all aspects of information security, including but not limited to:

  • (12.5.1) creating and distributing security policies and procedures
  • (12.5.2) monitoring and analyzing security alerts and distributing information to appropriate information security and business unit management personnel
  • (12.8.4) monitoring service providers PCI compliance at least annually
  • (12.5.3) (12.9) creating and distributing security incident response and escalation procedures that include:

◦           (12.10.1) roles, responsibilities, and communication

◦           (12.10.1) coverage and responses for all critical system components

◦           (12.10.1) notification, at a minimum, of credit card associations and acquirers

◦           (12.10.1) strategy for business continuity post compromise

◦           (12.10.1) reference or inclusion of incident response procedures from card associations

◦           (12.10.1) analysis of legal requirements for reporting compromises (for example, per California bill 1386)

◦           (12.9.2) annual testing

◦           (12.9.3, 12.9.5) designation of personnel to monitor for intrusion detection, intrusion prevention, and file integrity monitoring alerts on a 24/7 basis

◦           (12.9.4) plans for periodic training

◦           (12.9.6) a process for evolving the incident response plan according to lessons learned and in response to industry developments

  • (12.6; 12.6.1.a) maintaining a formal security awareness program for all employees that provides    multiple methods of communicating awareness and educating employees (for example, posters, letters, meetings)
  • (10.6.a) review security logs at least daily and follow-up on exceptions

(12.2.a) The Information Technology Office (or equivalent) shall maintain daily administrative and technical operational security procedures that are consistent with the PCI-DSS (for example, user account maintenance procedures, and log review procedures).

System and Application Administrators shall

  • Monitor and analyze security alerts and information and distribute to appropriate personnel
  • (12.5.4) administer user accounts and manage authentication
  • (12.5.5) monitor and control all access to data
  • (12.10.1) maintain a list of connected entities
  • (12.10.2) perform due diligence prior to connecting an entity, with supporting documentation
  • (12.10.3, 12.4) verify that the entity is PCI-DSS compliant, with supporting documentation
  • (12.10.4) establish a documented procedure for connecting and disconnecting entities
  • (10.7.a ) retain audit logs for at least one year

The Human Resources Office (or equivalent) is responsible for tracking employee participation in the security awareness program, including:

  • (12.6.1.b) facilitating participation upon hire and at least annually
  • (12.6.2) ensuring that employees acknowledge in writing that they have read and understand the company’s information security policy
  • (12.7) screen potential employees to minimize the risk of attacks from internal sources

Internal Audit (or equivalent) is responsible for executing a (12.1.2) risk assessment process that identifies threats, vulnerabilities, and results in a formal risk assessment.

General Counsel (or equivalent) will ensure that for service providers with whom cardholder information is shared:

  • (12.8.1) contracts require adherence to PCI-DSS by the service provider
  • (12.8.2) contracts include acknowledgement or responsibility for the security of cardholder data by the service provider

Sample PCI-DSS Policy Part 5: Critical Employee-Facing Technologies

Want a Word document copy of the entire policy template? Sign up for the PCI DSS Guru newsletter and receive a free copy that you can edit and use in your organization!

(12.3) For critical employee-facing technologies, departmental procedures shall require:

  • (12.3.1) explicit management approval to use the devices
  • (12.3.2) that all device use is authenticated with username and password or other authentication item (for example, token)
  • (12.3.3) a list of all devices and personnel authorized to use the devices
  • (12.3.4) labeling of devices with owner, contact information, and purpose
  • (12.3.8) automatic disconnect of modem sessions after a specific period of inactivity
  • (12.3.9) activation of remote access technologies used by vendors only when needed by vendors, with immediate deactivation after use

Departmental usage standards shall include:

  • (12.3.5) acceptable uses for the technology
  • (12.3.6) acceptable network locations for the technology
  • (12.3.7) a list of company-approved products
  • (12.3.10) prohibition of the storage of cardholder data onto local hard drives, floppy disks, or other external media when accessing such data remotely via remote access technologies
  • (12.3.10) prohibition of use of cut-and-paste and print functions during remote access

  • Free Newsletter

  • Search

  • Copyright © 1996-2010 PCI DSS Guru. All rights reserved.