PCI Documentation - Man's Best Friend!

Nobody told you when you were tinkering with a computer as a kid that when you grew up you would be doing so much documentation, did they? Now you have an email from an auditor asking for evidence that you have documented your firewall and router configurations. In the rapidly developing world of IT security, companies such as Compass IT Compliance work with you to ensure you have proper documentation to address the growing need to achieve and maintain compliance with the latest version of the PCI Data Security Standard.

In an on going blog highlighting each of the 12 PCI requirements, my colleague, Senior IT Auditor Derek Morris, walks you through each requirement, giving you a detailed view of what to expect and some of the challenges that our clients face. Here, I would like to single out some of the documentation that is required and that you will find easy to collect to be ahead of the game when Compass is working side by side with you and your company!

• Firewall and router configurations (Network, and Data flow diagram)

• Policies and Procedures for vendor-supplied defaults
• Wireless, and encryption key management

• Data-retention and disposal policies and procedures
• If disk encryption is used, how is access managed?

• Documented standard showing strong cryptography and security protocols used to safeguard sensitive cardholder data during transmission over open, public networks.

• Vendor documentation regarding anti-virus programs capable of detecting, removing, and protecting against all known types of malicious software.

• Security vulnerability policy
• Documented change control processes and procedures for all changes to system components.

• Written access control policy, limiting access to system components and cardholder data.
• Policies and procedures for user identification management controls defined and in place for nonconsumer users and administrators on all system component.

• Policies and procedures for user identification management controls defined and in place for nonconsumer users and administrators on all system components.

• Observed, and documented facility controls to limit and monitor physical access to systems in the cardholder data environment.

• Audit logs: for all system components within cardholder data environment.
• Examples: User ID, type of event, date and time, success or failure of indication.

• Documented evidence of internal and external network vulnerability scans run at least quarterly and after any significant change in the environment

• Evidence of security policy established, published, maintained, and disseminated to all relevant personnel.
• Evidence of a security awareness program provide multiple methods of communicating awareness and educating personnel.
• Policies and procedures maintained and implemented to manage service providers with whom cardholder data is shared.

This is a daunting list when you have not considered the impact of documentation on your IT and PCI environments. The good news is now you have a list to help you get started when that auditor asks you to provide documentation on these different requirements! Something else that might be able to help you with your overall PCI Compliance initiatives is our free downloadable PCI Compliance Checklist. This checklist will help you keep track, from a high-level, the quarterly, semi-annual, and annual requirements outlined in the PCI Data Security Standard. We have created one for Merchants and one for Service Providers since the requirements are a bit different for the two. Both are accessible on the download page by clicking on the button below!