PCI Resources
A structured approach to the PCI standards

PCI DSS Governance - Policies

*This section is adapted from the PCI DSS books.

The cornerstone of any Information Security Program is proper policies which lead to implementations of procedures and standards. Policies tell the organization what rules they need to follow. Note that policies, procedures and standards may be found under different names within different organizations. To align with the PCI DSS standard, we will use the same terminology. One blogger, the PCI Guru, has outlined his own guidance with which I agree, and that can be found here.

Policies and their associated/derived procedures, while not as glamourous to IT professionals as the technical aspect of the work, are nonetheless critical elements. They help with personnel changes, from onboarding to people simply going on vacation (I like vacations and prefer this analogy to the "hit-by-the-bus rule" which is often mentioned to demonstrate the need for documentation in case an employee does not make it in one day), and they tell us what we should be looking for when assessing the organization.

Since PCI DSS 3.0 and through 3.2, policies and procedures have been distributed amongst each of the 12 high-level requirements (they were previously all within 12.1.1). These specific requirements could still all be included in one or multiple documents, whatever the organization feels fits its needs best, as long as all requirements are covered. Many organizations have a PCI policy that they can update more frequently than other policies.

At a minimum, PCI DSS compliant Information Security Policies (12.1) and Procedures (covered in the body section) should cover assigning responsibilities for :

  • PCI compliance - an implied requirement of PCI DSS, but made mandatory in requirement A3.1.* for designated entities (and likely to be covered in future versions of PCI DSS)
  • Information security (12.4, 12.5.*)
  • Managing the firewall type devices (which can include routers and switches) (1.5) a requirement linked to the change control management process
  • Managing vendor defaults and other security parameters (2.5) - also known as Hardening
  • Change control management (6.4, 6.7) including testing and approvals
  • Data classification (implied) and data retention (3.1, 3.7)
  • Cryptographic key-management policy, processes and procedures (3.5, 3.6, 3.7, 4.3)
  • Protecting the transmission of cardholder data (and likely other sensitive data) over networks not under the organization's control (4.3)
  • Protecting systems against malware (5.4)
  • Vulnerability identification (6.1, 6.7) from vendor sources
  • Risk ranking of vulnerabilities (6.1, 6.7)
  • Patch management (6.2, 6.7)
  • Software Development Life Cycle (SDLC, 6.3, 6.7) including Secure Coding Guidelines and Training (6.5, 6.7)
  • Access control, including the use of Role-Based Access Control (7.3)
  • Identification and authentication of individual users (8.1., 8.2., 8.4, 8.5, 8.6, 8.7, 8.8) including user authentication policy for password changes
  • Ensuring visitor identification and authorization (9.4.*, 9.10)
  • Media (physical and electronic) classification (9.6.) and management (9.7.) including media storage (9.5.) and destruction (9.8.) (all within 9.10)
  • Protecting payment card devices from tampering (9.9.*, 9.10)
  • Logging and monitoring of relevant events (10.*, 10.8)
  • Wireless network testing (11.1.*, 11.6)
  • Vulnerability testing (11.2.*, 11.6) - aka performing vulnerability scans
  • Network and application penetration testing (11.3.*, 11.6) including network segmentation testing (11.3.4) and corrections of identified vulnerabilities (11.3.3)
  • Intrusion detection management (11.4, 11.6)
  • Critical changes detection (11.5.*, 11.6)
  • Performing risk assessment as required (12.2)
  • Developing and maintaining usage policies for critical technologies (12.3) that pose a high-risk, such as Remote access and wireless technologies (8.3), Acceptable devices (12.3.3 / 12.3.4), Mobile devices (laptops, tablets, phones) including BYOD if in-use Removable electronic media, email usage and Internet usage.
  • Never sending unprotected PANs by end-user messaging technologies (4.2)
  • Ensuring formal security awareness training (12.6.*)
  • Personnel screening (HR) (12.7)
  • Managing PCI Service Providers (12.8.*, 12.9)
  • Incident response management (12.10.8)

These policies should be reviewed at least annually, updated when the environment changes (12.1.1) and approved by appropriate level staff in the organization. We will review the specific requirements that must be covered by the policies in section 3.7.

Further readings: