Note: This sample is meant to demonstrate how the PCI-DSS might be employed directly to generate a policy. It would require significant adaptation to be deployed successfully in an actual card processing environment. Individual requirements from the PCI-DSS are denoted in parentheses. These annotations may be removed, should you choose to adapt this sample policy to make it suitable for your use.

Want a Word document copy of the entire policy template? Sign up for the PCI DSS Guru newsletter and receive a free copy that you can edit and use in your organization!

Issue Date: xx/xx/xxxx
Reviewed: xx/xx/xxxx

Policy Statement

(12.1) All card processing activities and related technologies must comply with the Payment Card Industry Data Security Standard (PCI-DSS) in its entirety.  Card processing activities must be conducted as described herein and in accordance with the standards and procedures listed in the Related Documents section of this Policy.  No activity may be conducted nor any technology employed that might obstruct compliance with any portion of the PCI-DSS.

(12.1.1)  This policy shall be reviewed at least annually and updated as needed to reflect changes to business objectives or the risk environment.

Applicability and Availability

This policy applies to all employees.  (12.1) Relevant sections of this policy apply to vendors, contractors, and business partners.  The most current version of this policy is available (at X URL or through Y office).

Policy Requirements