PCI Documentation can seem like a long, painstaking process for many merchants and service providers. Many that I work with describe it as “staring at a mountain of policy documents and not knowing where to start climbing.”
But, before you figure out how to climb the documentation mountain, it’s important to identify the various types of informational documents and tasks you’re going to be required to document.
3 Types of Documents You Need for PCI Compliance
The first step to compiling effective PCI documentation is to define the various types of documents you will need to record. Here are three that will be important to consider:
Policies define what you do when it comes to PCI compliance. For example, “All stored sensitive data shall be encrypted.” Policies are management instructions indicating a predetermined course of action, or a way to handle a problem or situation. Defining policy is typically the responsibility of management since they are more familiar with compliance obligations and executive directives. As a manager, you might choose to assign team members the task of composing the documents, but it’s up to you to provide direction and approval for policy content.
Standards define what is required to maintain the policy. For example, “all encrypted data shall be encrypted with AES 256 bit encryption keys.” Standards are mandatory directives to carry out management’s policies and are used to measure compliance with policies. The PCI Security Standards differ for various types and sizes of organizations, so it’s important to know and document which standards are required for your business.
Procedures define how you apply the PCI requirement. For example, “In order to meet the standard, we must 1) create encryption key, 2) install key into application, 3) execute encryption process, and so forth.” Procedures are designed as a series of steps to be followed as a consistent and repetitive approach or cycle to accomplish an end result. They provide a helpful window into how tasks are carried out and may reveal potential lapses in compliance.
3 Types of Tasks You’ll Want to Document
Once you understand the various types of documents required for PCI compliance, the next step is to identify all the various tasks that will be defined in your procedures. To simplify things, I often encourage clients to place tasks in one of three primary buckets.
1. Critical tasks.
These are the most common types of tasks organizations already have documented. Critical tasks include things like backup and recovery, configuration or build procedures, and incident response. These are the tasks you want to document to be sure you don’t miss a step that will get you or your team in trouble!
2. Regular tasks.
These are the tasks that might lead you to think,“I do it every day, so why do I need to document it?” However, it’s important to remember that documentation is not just for you. If you leave your company or are unavailable, the task doesn’t just go away. One of your colleagues or a new hire might have to step in and do it. Documenting regular tasks helps prevent a lot of clean-up work that otherwise could have been prevented.
3. Rare tasks.
These are the tasks you dread because they don’t come up often, but, when they do, you know it’s going to take some effort to recall how you did it the last time. These typically involve rarely used systems or stable applications that don’t need much care and feeding. Oftentimes, it’s a manual task. This is why I encourage clients to document the task while you’re at it. If you wait until later, you might forget some details that will be important the next time it comes around.
Take the First Step Toward PCI Compliance
PCI Documentation is a critical step in raising your security profile and reducing the likelihood of an attack. If your business stores, processes, or transmits credit card data, you’re responsible for compliance with PCI DSS.
If you want to make sure all your bases are covered, download our free guide, PCI Compliance Guidelines Explained. In this guide, we unpack everything you need to know for making sure your organization is up to date with the latest standards.