This is it. We have reached the end of the tunnel and find ourselves at the last step in becoming PCI compliant. So let’s take a look at what we need to meet the final PCI DSS standard…
Requirement 12: Maintain a policy that addresses information security
This part of the standard lists more policies we have to implement and more procedural documentation to write. A complete list of specific policies and documentation we need is here. Given the scope of this requirement, I can give some general information about complying with this standard, but I cannot cover every portion of the requirements. Some examples of policies that require documentation are:
- Formal Risk Assessment and Risk Management Program
- Security Awareness Program
- Usage Policies for all end-user technologies and company resources
- Incident Response Plan
This standard, more than any other forces us to think about what we will do in the event of an attack on our network, or when our security is compromised either externally or internally. We need to know what to do in the event an attack is identified. How do we respond? Who is in charge of our response? What response capabilities do we have internally? Do we need to involve outside experts?This also includes company directives such as the establishment of a security team, security education for all employees, and pre-employment screening. At this point in our small company of one, we still need to have these policies and procedures in place and documented. As we grow we can spend more time revising them in the future (since we already have to review and update our policies regularly).
Reading the PCI DSS requirements, we see many areas calling for documentation for various systems and procedures relating to the use and storage of our customers’ information. Among the requirements are the following:
- Data Retention and Disposal Policy
- Anti-Virus Policies and Procedures
- Password Management rules
- Firewall Policies and Procedures
- Change Management Guidelines
The documentation directly above will be useful in complying with this final PCI requirement, but they do not replace it. This is, in essence, the culmination of the previous eleven standards. Requirement 12 establishes how all of the above work together to create our over-arching security policy. In addition to formalizing established policies and their interaction, we need to establish daily, quarterly and annual audits of our users, our system updates, and a formal risk assessment. For example, checking our logs for potential employee security violations and purging users/employees who no longer require access.In a few weeks I will recap what I learned during this exercise in meeting PCI DSS compliance. I will be extending this article series to provide more details on just how much time is involved in meeting the PCI standards. While there are significant hardware and software investments in meeting the requirements, time, I found, was my greatest investment.