PCI Documentation - Man's Best Friend!

Nobody told you when you were tinkering with a computer as a kid that when you grew up you would be doing so much documentation, did they? Now you have an email from an auditor asking for evidence that you have documented your firewall and router configurations. In the rapidly developing world of IT security, companies such as Compass IT Compliance work with you to ensure you have proper documentation to address the growing need to achieve and maintain compliance with the latest version of the PCI Data Security Standard.

In an on going blog highlighting each of the 12 PCI requirements, my colleague, Senior IT Auditor Derek Morris, walks you through each requirement, giving you a detailed view of what to expect and some of the challenges that our clients face. Here, I would like to single out some of the documentation that is required and that you will find easy to collect to be ahead of the game when Compass is working side by side with you and your company!

• Firewall and router configurations (Network, and Data flow diagram)

• Policies and Procedures for vendor-supplied defaults
• Wireless, and encryption key management

• Data-retention and disposal policies and procedures
• If disk encryption is used, how is access managed?

• Documented standard showing strong cryptography and security protocols used to safeguard sensitive cardholder data during transmission over open, public networks.

• Vendor documentation regarding anti-virus programs capable of detecting, removing, and protecting against all known types of malicious software.

• Security vulnerability policy
• Documented change control processes and procedures for all changes to system components.

• Written access control policy, limiting access to system components and cardholder data.
• Policies and procedures for user identification management controls defined and in place for nonconsumer users and administrators on all system component.

• Policies and procedures for user identification management controls defined and in place for nonconsumer users and administrators on all system components.

• Observed, and documented facility controls to limit and monitor physical access to systems in the cardholder data environment.

• Audit logs: for all system components within cardholder data environment.
• Examples: User ID, type of event, date and time, success or failure of indication.

• Documented evidence of internal and external network vulnerability scans run at least quarterly and after any significant change in the environment

• Evidence of security policy established, published, maintained, and disseminated to all relevant personnel.
• Evidence of a security awareness program provide multiple methods of communicating awareness and educating personnel.
• Policies and procedures maintained and implemented to manage service providers with whom cardholder data is shared.

This is a daunting list when you have not considered the impact of documentation on your IT and PCI environments. The good news is you don’t have to tackle PCI compliance initiatives alone. Compass IT Compliance has deep experience guiding organizations through the complexities of the PCI Data Security Standard—from understanding what documentation is required to building sustainable processes that align with your business. Our team partners with you every step of the way to ensure your PCI compliance initiatives are efficient, thorough, and audit-ready. Contact us today to learn how we can support your organization’s compliance journey.