PCI Documentation - Man's Best Friend!

Ron Scarborough
Mar 28, 2018 10:00:00 AM


Nobody told you when you were tinkering with a computer as a kid that when you grew up you would be doing so much documentation, did they? Now you have an email from an auditor asking for evidence that you have documented your firewall and router configurations. In the rapidly developing world of IT security, companies such as Compass IT Compliance work with you to ensure you have proper documentation to address the growing need to achieve and maintain compliance with the latest version of the PCI Data Security Standard.

In an on going blog highlighting each of the 12 PCI requirements, my colleague, Senior IT Auditor Derek Morris, walks you through each requirement, giving you a detailed view of what to expect and some of the challenges that our clients face. Here, I would like to single out some of the documentation that is required and that you will find easy to collect to be ahead of the game when Compass is working side by side with you and your company!

1. Install and maintain a firewall configuration to protect data.
  • Firewall and router configurations (Network, and Data flow diagram)
2. Do not use vendor-supplied defaults for system passwords and other security parameters.
  • Policies and Procedures for vendor-supplied defaults
  • Wireless, and encryption key management
3. Protect stored cardholder data.
  • Data-retention and disposal policies and procedures
  • If disk encryption is used, how is access managed?
4. Encrypt transmission of cardholder data across open, public networks.
  • Documented standard showing strong cryptography and security protocols used to safeguard sensitive cardholder data during transmission over open, public networks.
5. Protect all systems against malware and regularly update anti-virus software or programs.
  • Vendor documentation regarding anti-virus programs capable of detecting, removing, and protecting against all known types of malicious software.
6. Develop and maintain secure systems and applications.
  • Security vulnerability policy
  • Documented change control processes and procedures for all changes to system components.
7. Restrict access to cardholder data by business need to know.
  • Written access control policy, limiting access to system components and cardholder data.
  • Policies and procedures for user identification management controls defined and in place for nonconsumer users and administrators on all system component.
8. Identify and authenticate access to system components.
  • Policies and procedures for user identification management controls defined and in place for nonconsumer users and administrators on all system components.
9. Restrict physical access to cardholder data.
  • Observed, and documented facility controls to limit and monitor physical access to systems in the cardholder data environment.
10. Track and monitor all access to network resources and cardholder data.
  • Audit logs: for all system components within cardholder data environment.
  • Examples: User ID, type of event, date and time, success or failure of indication.
11. Regularly test security systems and processes.
  • Documented evidence of internal and external network vulnerability scans run at least quarterly and after any significant change in the environment
12. Maintain a policy that addresses information security for all personnel.
  • Evidence of security policy established, published, maintained, and disseminated to all relevant personnel.
  • Evidence of a security awareness program provide multiple methods of communicating awareness and educating personnel.
  • Policies and procedures maintained and implemented to manage service providers with whom cardholder data is shared.

This is a daunting list when you have not considered the impact of documentation on your IT and PCI environments. The good news is now you have a list to help you get started when that auditor asks you to provide documentation on these different requirements! Something else that might be able to help you with your overall PCI Compliance initiatives is our free downloadable PCI Compliance Checklist. This checklist will help you keep track, from a high-level, the quarterly, semi-annual, and annual requirements outlined in the PCI Data Security Standard. We have created one for Merchants and one for Service Providers since the requirements are a bit different for the two. Both are accessible on the download page by clicking on the button below!

New Call-to-action


You May Also Like

These Stories on PCI Compliance

Subscribe by Email

No Comments Yet

Let us know what you think