Skip to main content
All CollectionsCompliance
Required Documentation for PCI DSS
Required Documentation for PCI DSS
Ethan Heller avatar
Written by Ethan Heller
Updated over a week ago

PCI DSS is probably the most critical compliance standard your organization will need to comply with if your organization processes payment card transactions or has customers who process payment card transactions. If your organization does not comply with PCI, you may lose authorization to process these transactions or, if you don’t process transactions, you may lose the business of customers who rely on your service for their own transaction processing activities. Part of complying with PCI will involve producing significant amounts of documentation related to managing your IT environment. This documentation will be used to support your answers if you are filling out a PCI DSS Self-Assessment Questionnaire (SAQ) or support your auditor’s testing if you are required to have a PCI on-site assessment performed (QSA assessment or Report on Compliance (ROC)).

To help determine what documentation is required when completing a PCI SAQ or ROC, we have read through PCI SAQ D, the assessment guidance for PCI ROCs, and outside sources.

The table below contains the documentation required for each of the 12 PCI DSS requirements outlined by the PCI Security Standards Council.

PCI Requirement

Documentation Required

  1. Install and maintain a firewall configuration to protect cardholder data

  • Firewall and router configuration standards for your organization

  • Network diagram showing how the network is segmented (such as through the use of DMZs, etc.)

  • Data flow diagrams showing how data flows into and out of the Cardholder Data Environment

  • Network policies/procedures which document who has access to the network, who is responsible for administration, etc.

  • Most recent firewall/router rule review

  1. Do not use vendor-supplied defaults for system passwords and other security parameters

  • Hardening procedures for in-scope network components (firewalls, routers, servers, databases, etc.)

  • Policies/procedures which document a requirement to change vendor supplied default configurations where possible

  • Asset inventory documenting the in-scope network assets

  • Data retention policy/procedures

  • Data disposal/deletion policies/procedures

  • Data protection or storage policies/procedures

  1. Protect stored cardholder data

  • Encryption policy or procedures which cover hard drive/disk encryption

  • Encryption key management policy/procedures which include key lifecycle management procedures

  • Key management/custodian acceptance form which covers the responsibilities of key custodians and requires sign offs

  1. Encrypt transmission of cardholder data across open, public networks

  • Hardening procedures for in-scope network components (firewalls, routers, servers, databases, etc.)

  • Encryption policy or procedures which cover the encryption algorithms and strengths used to transmit data within the network

  • Network policies/procedures which document who has access to the network, who is responsible for administration, etc.

  1. Protect all systems against malware and regularly update anti-virus software or programs

  • Antivirus policies or procedures or other documents which indicate the requirement for antivirus on endpoints and systems within the Cardholder Data Environment

  1. Develop and maintain secure systems and applications

  • Software Development Life Cycle policies/procedures documenting a requirement for security during each phase of the development process

  • Change management policy/procedures

  • Security testing procedures for systems

  • Vulnerability management policies/procedures

  • System/software patching procedures

  1. Restrict access to cardholder data by business need-to-know

  • Access control policy/procedures

  1. Identify and authenticate access to system components

  • Access control policy/procedures

  • Documented job duties and responsibilities for users with access to the Cardholder Data Environment

  1. Restrict physical access to cardholder data

  • Physical access control policies/procedures including visitor identification procedures

  • Policies/procedures for secure storage of media (removable media, hard disks, backup media, etc.)

  • Policies/procedures for distributing media to employees

  • Asset inventory and documented review containing media assets

  • Media destruction policies/procedures

  • (if your organization maintains payment card terminals) Policies/procedures for securing card reading devices

  • (if your organization maintains payment card terminals) Inventory of payment card reading devices

  • (if you organization maintains payment card terminals) Security awareness training materials for detecting tampering with payment card reading devices

  1. Track and monitor all access to network resources and cardholder data

  • System monitoring policies/procedures documenting what is logged, required log fields, and frequency of log review

  1. Regularly test security systems and processes

  • Policies and procedures covering detecting both authorized and unauthorized wireless devices

  • Inventory of authorized wireless devices

  • Incident response plan/procedures

  • Internal network vulnerability scan results

  • External network vulnerability scan results performed by a PCI Approved Scanning Vendor (ASV)

  • Internal penetration test results

  • External penetration test results

  1. Maintain a policy that addresses information security for all personnel

  • Information Security Policy

  • Risk Assessment Policy

  • Completed Risk Assessment

  • Acceptable Use and any other IT Resource Usage policies

  • List of company approved products/services

  • Incident Response Plan

  • Security Monitoring procedures

  • System Monitoring procedures

  • Documented roles and responsibilities for network and security monitoring

  • Documented Security Awareness Program

  • HR policies and procedures related to managing personnel

  • Third Party/Vendor Management policies and procedures

  • Documented list of third parties used within the Cardholder Data Environment

  • Incident Response Plan test

This article was developed through the use of the following website: along with consulting the assessor guidance provided by the PCI Security Standard Council.

Did this answer your question?