Required Documentation for PCI DSS

PCI DSS is probably the most critical compliance standard your organization will need to comply with if your organization processes payment card transactions or has customers who process payment card transactions. If your organization does not comply with PCI, you may lose authorization to process these transactions or, if you don’t process transactions, you may lose the business of customers who rely on your service for their own transaction processing activities. Part of complying with PCI will involve producing significant amounts of documentation related to managing your IT environment. This documentation will be used to support your answers if you are filling out a PCI DSS Self-Assessment Questionnaire (SAQ) or support your auditor’s testing if you are required to have a PCI on-site assessment performed (QSA assessment or Report on Compliance (ROC)).

To help determine what documentation is required when completing a PCI SAQ or ROC, we have read through PCI SAQ D, the assessment guidance for PCI ROCs, and outside sources.

The table below contains the documentation required for each of the 12 PCI DSS requirements outlined by the PCI Security Standards Council.

PCI Requirement	Documentation Required
Install and maintain a firewall configuration to protect cardholder data	Firewall and router configuration standards for your organization Network diagram showing how the network is segmented (such as through the use of DMZs, etc.) Data flow diagrams showing how data flows into and out of the Cardholder Data Environment Network policies/procedures which document who has access to the network, who is responsible for administration, etc. Most recent firewall/router rule review
Do not use vendor-supplied defaults for system passwords and other security parameters	Hardening procedures for in-scope network components (firewalls, routers, servers, databases, etc.) Policies/procedures which document a requirement to change vendor supplied default configurations where possible Asset inventory documenting the in-scope network assets Data retention policy/procedures Data disposal/deletion policies/procedures Data protection or storage policies/procedures
Protect stored cardholder data	Encryption policy or procedures which cover hard drive/disk encryption Encryption key management policy/procedures which include key lifecycle management procedures Key management/custodian acceptance form which covers the responsibilities of key custodians and requires sign offs
Encrypt transmission of cardholder data across open, public networks	Hardening procedures for in-scope network components (firewalls, routers, servers, databases, etc.) Encryption policy or procedures which cover the encryption algorithms and strengths used to transmit data within the network Network policies/procedures which document who has access to the network, who is responsible for administration, etc.
Protect all systems against malware and regularly update anti-virus software or programs	Antivirus policies or procedures or other documents which indicate the requirement for antivirus on endpoints and systems within the Cardholder Data Environment
Develop and maintain secure systems and applications	Software Development Life Cycle policies/procedures documenting a requirement for security during each phase of the development process Change management policy/procedures Security testing procedures for systems Vulnerability management policies/procedures System/software patching procedures
Restrict access to cardholder data by business need-to-know	Access control policy/procedures
Identify and authenticate access to system components	Access control policy/procedures Documented job duties and responsibilities for users with access to the Cardholder Data Environment
Restrict physical access to cardholder data	Physical access control policies/procedures including visitor identification procedures Policies/procedures for secure storage of media (removable media, hard disks, backup media, etc.) Policies/procedures for distributing media to employees Asset inventory and documented review containing media assets Media destruction policies/procedures (if your organization maintains payment card terminals) Policies/procedures for securing card reading devices (if your organization maintains payment card terminals) Inventory of payment card reading devices (if you organization maintains payment card terminals) Security awareness training materials for detecting tampering with payment card reading devices
Track and monitor all access to network resources and cardholder data	System monitoring policies/procedures documenting what is logged, required log fields, and frequency of log review
Regularly test security systems and processes	Policies and procedures covering detecting both authorized and unauthorized wireless devices Inventory of authorized wireless devices Incident response plan/procedures Internal network vulnerability scan results External network vulnerability scan results performed by a PCI Approved Scanning Vendor (ASV) Internal penetration test results External penetration test results
Maintain a policy that addresses information security for all personnel	Information Security Policy Risk Assessment Policy Completed Risk Assessment Acceptable Use and any other IT Resource Usage policies List of company approved products/services Incident Response Plan Security Monitoring procedures System Monitoring procedures Documented roles and responsibilities for network and security monitoring Documented Security Awareness Program HR policies and procedures related to managing personnel Third Party/Vendor Management policies and procedures Documented list of third parties used within the Cardholder Data Environment Incident Response Plan test

This article was developed through the use of the following website: https://www.pcidssguide.com/pci-dss-policy-and-procedure-documentation/ along with consulting the assessor guidance provided by the PCI Security Standard Council.