Want a Word document copy of the entire policy template? Sign up for the PCI DSS Guru newsletter and receive a free copy that you can edit and use in your organization!

(9.7) Distribution, maintenance, and storage of media containing cardholder data, must be controlled, including that distributed to individuals. (9.9) Procedures must include periodic media inventories in order to validate the effectiveness of these controls.

(3.1) Procedures for data retention and disposal must be maintained by each department and must include the following:

• legal, regulatory, and business requirements for data retention, including specific requirements for retention of cardholder data
• provisions for disposal of data when no longer needed for legal, regulatory, or business reasons, including disposal of cardholder data
• coverage for all storage of cardholder data, including database servers, mainframes, transfer directories, and bulk data copy directories used to transfer data between servers, and directories used to
• a programmatic (automatic) process to remove, at least on a quarterly basis, stored cardholder data that exceeds business retention requirements, or, alternatively, an audit process, conducted at least on a quarterly basis, to verify that stored cardholder data does not exceed business retention requirements
• (9.10) destruction of media when it is no longer needed for business or legal reasons as follows:
• cross-cut shred,  incinerate, or pulp hardcopy materials
• purge, degauss, shred, or otherwise destroy electronic media such that data cannot be reconstructed

[If records management is a centralized function, you may choose to offload the above section to a data retention standard and/or procedure, and then reference that procedure in the policy.]

(3.3) Credit card numbers must be masked when displaying cardholder data.  Those with a need to see full credit card numbers must request an exception to this policy using the exception process.

(4.2.b) Unencrypted Primary Account Numbers may not be sent via email

Want a Word document copy of the entire policy template? Sign up for the PCI DSS Guru newsletter and receive a free copy that you can edit and use in your organization!

(2.2.a) Configuration standards must be maintained for applications, network components, critical servers, and wireless access points. These standards must be consistent with industry-accepted hardening standards as defined, for example, by SysAdmin Assessment Network Security Network (SANS), National Institute of Standards Technology (NIST), and Center for Internet Security (CIS). [2.2.b should be captured in your system configuration standard; 2.2.c and 2.2.3.b should be covered in your procedure for new server set-up]

Configuration standards must include:

• (5.2) updating of anti-virus software and definitions
• (6.1.b) provision for installation of all relevant new security patches within one month
• (8.5.8.b) prohibition of group and shared passwords

Introduction

Note: This sample is meant to demonstrate how the PCI-DSS might be employed directly to generate a policy. It would require significant adaptation to be deployed successfully in an actual card processing environment. Individual requirements from the PCI-DSS are denoted in parentheses. These annotations may be removed, should you choose to adapt this sample policy to make it suitable for your use.

Want a Word document copy of the entire policy template? Sign up for the PCI DSS Guru newsletter and receive a free copy that you can edit and use in your organization!

Issue Date: xx/xx/xxxx
Reviewed: xx/xx/xxxx

Policy Statement

(12.1.1) All card processing activities and related technologies must comply with the Payment Card Industry Data Security Standard (PCI-DSS) in its entirety. Card processing activities must be conducted as described herein and in accordance with the standards and procedures listed in the Related Documents section of this Policy. No activity may be conducted nor any technology employed that might obstruct compliance with any portion of the PCI-DSS.

(12.1.3) This policy shall be reviewed at least annually and updated as needed to reflect changes to business objectives or the risk environment.

Applicability and Availability

This policy applies to all employees: full-time and part-time, temporary and personnel, and contractors and consultants who are “resident” on site. (12.1) Relevant sections of this policy apply to vendors, off-site contractors, and business partners. The most current version of this policy is available (at X URL or through Y office).

Policy Requirements

• Adherence to Standards

• Handling of Cardholder Data

• Access to Cardholder Data

• Critical Employee-facing Technologies

• Roles and Responsibilities

• Related Documents

  • Standards
  • Incident Response Plan
  • Procedures

In this article, I review the Payment Card Industry Data Security Standard (PCI-DSS) policy requirements and provide a policy framework, including a PCI DSS sample policy that uses the framework.

Want a Word document copy of the entire policy template? Sign up for the PCI DSS Guru newsletter and receive a free copy that you can edit and use in your organization!

Getting Started

The best advice regarding policy creation is: don’t over engineer it!  The policy document should be a definitive guide to conduct, but should not include the implementation details (i.e., procedures).  It may make reference to standards, but it should not contain those standards.
(continue reading…)