Requirement 4 PCI Information Security Policies from pcypolicyportal.com

PCI information security policies for Requirement 4 require merchants, service providers and any other entity to adhere to the following:

• Primary Account Numbers (PAN) will not be sent via unencrypted email.
• Primary Account Numbers (PAN) will not be sent via an "Instant Messaging" protocol.
• Primary Account Numbers (PAN) will not be sent via a chat protocol or forum sessions.

Moreover, the Payment Card Industry Data Security Standards also clearly state that one must "verify the existence of a policy" regarding the above three items for the Primary Account Numbers (PAN).

Also, please keep in mind that though there are no other requirements for PCI information security policies for Requirement 4 itself, there are other areas that essentially are supported by other PCI information security policies outside of Requirement 4.

Let's give you a quick example. One of the tests to conduct for this area is to "verify the use of encryption" and that "strong encryption is used". Obviously, one can examine the key management policy and procedure documentation for helping validate that there is indeed encryption in place and that the encryption is "strong". This is just one part of validating encryption, the other would be to examine the database and the type of encryption that is in place, such as column, file or full database.

So you can clearly see how some statements and tests to be conducted may not clearly call for PCI information security policies, but an indirect relationship to having other PCI information security policies still apply.

View the table of contents or order PCI information security policies today from pcipolicyportal.com