Introduction

Note: This sample is meant to demonstrate how the PCI-DSS might be employed directly to generate a policy. It would require significant adaptation to be deployed successfully in an actual card processing environment. Individual requirements from the PCI-DSS are denoted in parentheses.

Issue Date: xx/xx/xxxx
Reviewed: xx/xx/xxxx

Policy Statement

(12.1.1) All card processing activities and related technologies must comply with the Payment Card Industry Data Security Standard (PCI-DSS) in its entirety. Card processing activities must be conducted as described herein and in accordance with the standards and procedures listed in the Related Documents section of this Policy. No activity may be conducted nor any technology employed that might obstruct compliance with any portion of the PCI-DSS.

(12.1.3) This policy shall be reviewed at least annually and updated as needed to reflect changes to business objectives or the risk environment.

Applicability and Availability

This policy applies to all employees. (12.1) Relevant sections of this policy apply to vendors, contractors, and business partners. The most current version of this policy is available (at X URL or through Y office).

Policy Requirements

• Adherence to Standards

• Handling of Cardholder Data

• Access to Cardholder Data

• Critical Employee-facing Technologies

• Roles and Responsibilities

• Related Documents

  • Standards
  • Incident Response Plan
  • Procedures

Posted in Policy |