Regardless of the security or compliance framework you are mapping to, there will always be an established set of requirements stating that your business must have documented policies, procedures and standards in place. In this post I will clarify the difference between the three, and over a series of posts to come, I will provide you with a full set of free PCI compliance policy templates that you can use for meeting the related PCI DSS compliance obligations.
What’s in your policy documents?
After you’ve conducted your risk assessment—which is the foundation of your security program and defines what risks you are looking to address—it will be necessary that you DOCUMENT the Executive Management wishes. The act of documenting their wishes, in terms of their expectations of how an organization is to be run, is generally called a policy.
Your PCI policy sets the tone for the organization about addressing existing payment security risks by establishing requirements of things that must be done; therefore, when writing a policy, it’s important that you use commanding words, such as shall, must, will, etc. When you see a “policy” with words such as may, might, or when possible, these fall into the category of a guideline.
So, in short, a policy defines that something must be done. It does not contain information that denotes how it is to be done or what the tools are; these are your procedures and standards. When examining a procedure document, we generally look for the instructions on how to perform a specific action, as required by the policy. Think of it like a recipe, and your standards are the ingredients.
When assessing for compliance, we shouldn’t care what you call your policy. What is important is that you have a documented position about how to address the risk that the topic looks to address.
Get started with your PCI compliance policy.
As I mentioned above, this post is the beginning of a series of blogs. Each post will include a free PCI compliance policy template that you can use to meet your compliance efforts. However, please note that you will still have to develop your own procedures and standards to meet the obligations documented in your policy.
The first policy template I am sharing covers those entities that process cardholder data using a validated Point-to-Point Encryption (P2PE) solution. (Remember, a P2PE validated solution is not the same as an End-to-End Encryption, or E2EE, solution; learn more by reading our P2PE white paper.) Lastly, please be sure to review the validation criteria of the SAQ P2PE to ensure that you qualify to use that validation instrument.