PCI DSS Compliance & PCI Policies | They Go Hand in Hand
PCI policies are a vital part of the overall process for becoming Payment Card Industry Data Security Standards (PCI DSS) compliant. So much so that any merchant, service provider or any other third party organization simply cannot be granted PCI DSS certification without them. While it's important to learn about the fundamental relationship between PCI policies and the overall PCI framework, it's also essential that you learn the basics of the Payment Card Industry Data Security Standards framework.
First and foremost, PCI, according to the Payment Card Industry Security Standards Council, is defined as the following:
"The PCI DSS is a multifaceted security standard that includes requirements for security management, policies, procedures, network architecture, software design and other critical protective measures. This comprehensive standard is intended to help organizations proactively protect customer account data."
Source: http://www.pcisecuritystandards.org/security_standards/pci_dss.shtml
Simply stated, merchants, service providers and other third party entities that process, store or transmit cardholder data and transaction data must adhere to the requirements of PCI DSS and become compliant, and that includes having PCI policies in place. So what's "transaction data"? This is typically supporting information related to cardholder data that is also processed, stored or transmitted.
So where do PCI policies come into play for the overall compliance mandate? If you read through all 12 of the Payment Card Industry Data Security Standards requirements as outlined at www.pcisecuritystandards.org, you will find a number of requirements calling for PCI policies, procedures, and other essential documentation for these very entities (merchants, service providers and other third party entities) that process, store, or transmit cardholder data and transaction data. From Requirement 1 through 12, the standards for compliance include a number of controls and requirements to be in place, with many of them calling for PCI policies. For example, Requirement 1 states that organizations must have a firewall and router configurations standards policy. Similarly, Requirement 3 states that organizations must have a data retention and disposal policy in place. This is just a small sample of the PCI policies that organizations will need to comply with.
To learn more about PCI polices, view the table of contents, visit the frequently asked questions PCI policies, or order now.