No one likes to talk about documentation. And for good reason, it’s boring, tedious, and generally doesn’t accomplish any of your tasks or goals, it’s just ancillary support work. When it comes to PCI Compliance though, the more thorough your documentation is the easier your QSA onsite assessment will be or the more honestly you’ll be able to answer your SAQ. So today’s PCI compliance tip is going to center around little things you can do to improve your documentation, which in turn should make maintaining compliance easier and more stress-free.
Let’s start with something simple, but often forgotten or overlooked. You would be amazed at how many organizations don’t have a date on their documentation. We’re talking about it in the context of PCI, but this is just a good practice to follow for all of your organizational documentation related to security or IT processes. Including at least the date of the most recent update let’s you know the last time you’ve reviewed/updated a document, and gives your assessor some confidence that it has been updated. Even better, include the original draft date/author and then add a revision history so can see the major changes made to a document over time.
Ultimately, this one little step will help you stay organized and make sure your documentation is getting the TLC it needs. It will also help your assessor quickly see that you are maintaining your administrative security controls throughout the year and they’ve been recently updated to reflect your current environment.
Review All of Your Documents Annually
Speaking of dates, another great idea when it comes to your PCI compliance-related documentation is to make sure you are updating it at least annually. Ideally, you want to include a quarterly process to review and update documentation where changes have been made in your organization. But at least annually, make sure you are reading through what your policies/procedures say and make sure that matches up with reality and your security requirements. It makes it really hard to complete this if you’re not dating all of your documentation!
Tie Documents to PCI Requirements
There are hundreds of PCI requirements within version 3.2.1 of the PCI Data Security Standard (DSS) that all prescribe different required security controls for your organization. This includes documentation-related requirements that state you must have policies/procedures that match up with the requirements and contain certain content. With so much content to manage, it’s easy to lose track of what you are using to meet each requirement and it may be hard for the assessor to decipher where things are in your documentation as well.
To streamline your maintenance and the assessor’s evaluation of your documentation while filling out the RoC or helping you complete an SAQ, it’s a good idea to tie PCI requirements directly to documents or sections of documents that you are using to meet those requirements. While this is not a trivial process the first time, it makes it much more clear that you have the required documentation and that your documents actually state things correctly.
Depending on the structure of your documentation, I have seen organizations successfully use inline requirement lists, like a subtitle for each section of a document. If things are spread across multiple documents, a Word or Excel doc that lists out each requirement and ties it to a specific location or folder, document, and section can also serve as a great map. The only drawback here is you’ve got to remember to update it or you could end up with mismatched requirements after updates are made. You could even use a combination of these two approaches.
This may sound unhelpful, but it’s often worthy of a quick reminder to keep your documentation organized throughout the year. This prevents you from trying to find everything and scramble to get all the required documentation over to your assessor at the last minute. If you have a clear and concise folder structure, and you are putting your PCI-related documentation there throughout the year, turning in evidence to an assessor should be very easy.
The actual implementation that different organizations use to stay organized will always be different to fit their business processes, so it’s impossible to be more prescriptive here. But some things to consider are organizing evidence by PCI requirement (as specific as you can be) in a folder structure or even naming files with the PCI requirement in them. Again, this is easy for me to say but takes some time to implement and may require some different iterations to find what fits for your organization and makes your life easier, without causing any friction.
Hopefully this PCI compliance tip is something you can start implementing in your organization right away. PCI compliance can be overwhelming, as there is so much lingo to understand and so many nuances to maintaining compliance over time. With any compliance program, it’s important to remember that the requirements are there to help you be more secure, and a strong organizational security posture is the end goal, not just blindly checking a box. If you need help setting up a successful compliance program that is easy to maintain and prioritizes security, feel free to reach out and we’d love to help!