Governance, Risk Management and Compliance
|
Information Security
|
PCI DSS 
BLOGS

PCI Policies, Procedures and Evidence – What is expected?

Alastair Stewart
|
Senior Consultant at URM
|
PUBLISHED on
08
August
2022
Table of contents

While it’s one of the areas that IT and security departments find challenging, documentation (and compliant evidence) is what makes for a happy and satisfied PCI Qualified Security Assessor (QSA), and, more importantly, a successful PCI compliance audit!  Successful compliance programmes invariably depend on the accurate and consistent recording of events and the adherence to well-defined policies and procedures.

These documents ensure all staff are aware of their obligations, as well as defining the necessary actions to ensure a secure and compliant environment is achieved. With a number of PCI requirements, certain documents will need to be reviewed periodically or the instructions contained therein carried out at specific intervals.  

If the actions in question (i.e. firewall rule reviews / external vulnerability scans) are not performed as instructed, the entire compliance initiative may be jeopardised.  Organisations are well-advised to analyse their documentation and evidentiary requirements and summarise these centrally, where the content and resulting actions can be tracked.  

Security policies and procedures are not a new concept and, coupled with the multitude of security standards that have been developed over the past few decades, there’s no need to start from scratch and be overly creative.  

As long as the documents are clear, concise, deliver the intended message, are customised to the environment in question and elicit the necessary behaviour, the document set will achieve the desired outcome.   It is essential that you ensure all PCI control statements which require explicit documentation are included in the relevant documents.  This will save you both time and resources when addressing this necessary, albeit challenging, task.

The list of documents and evidence artefacts that act as the baseline for achieving compliance with the PCI DSS is very extensive.

Not all documents will be obligatory for all organisations, however, a significant number will need to have been implemented in order for a successful outcome to be achieved.  If these documents, procedures and activities geared towards producing the necessary evidence are in place, you are well on the way to attaining compliance.  To illustrate the type of documents and evidence (by no means exhaustive!) you will typically need to develop and implement, here is starter for ten!:

Documents

  1. Network device management policy
  2. Wireless scanning procedure (rogue access points)
  3. Remote access policy (staff/vendor)
  4. Device configuration standards
  5. Visitor policy
  6. Operational security procedures

Evidence

  1. Network diagrams
  2. Dataflow diagrams
  3. Incident response test
  4. Role-based access matrix
  5. Vulnerability scans
  6. Risk register
  7. Third party contracts (soft copy)

Alastair Stewart
Senior Consultant at URM
Alastair is one of the most experienced and proficient Payment Card Industry Qualified Security Assessors (PCI QSAs) in the UK. He has completed in excess of one hundred successful reports on compliance (RoCs) against different PCI DSS versions along with supporting the completion of self-assessment questionnaires (SAQs).
Read more
Read more

Do you need support in meeting your annual PCI DSS penetration testing requirements?

As a CREST-accredited penetration testing organisation, URM can complete internal and external penetration tests.
Recent blogs
ISO 27001:2022 Annex A Physical Controls
Sharing Personal Data With the Police
PCI SSC Announces Changes to the SAQ A
Are you Processing Special Category Personal Data Without Knowing It?
Apple Removes Advanced Data Protection Tool from UK
How URM can help?
Consultancy
All you need to meet SOC 2 requirements

If your organisation has received a request for a SOC 2 report and is looking to meet all the necessary requirements, URM can offer you informed guidance and practical support.

Read more
Consultancy
Do you need any help with ISO 27001 certificate?

URM can help you achieve ISO 27001 certification

Read more
Consultancy
ISO 27002:2022 Support

URM can provide a range of ISO 27002:2022 transition services including conducting a gap analysis, supporting you with risk assessment and treatment activities as well as delivering a 2-day transition training course.

Read more
URM holds free seminars and webinars for end-user organisations focusing on information security.
Find out more
related BLog posts
Thumbnail of the Blog Illustration
Information Security
Published on
10/3/2025
PCI SSC Announces Changes to the SAQ A

URM’s blog explains the recent update to PCI DSS SAQ-A that has resulted in the removal of 2 new v4 requirements & the addition of new eligibility criteria.

Read more
Thumbnail of the Blog Illustration
Information Security
Published on
8/8/2022
Preparing for a Report on Compliance (ROC)

There’s no getting away from the fact that preparing for a PCI DSS ROC can be a bit of a trial....

Read more
Thumbnail of the Blog Illustration
Information Security
Published on
8/8/2022
PCI Policies, Procedures and Evidence – What is expected?

While it’s one of the areas that IT and security departments find challenging, documentation (and compliant evidence)....

Read more
"
Leanr more about
URM Services
We were impressed with the implementation and management of the Abriska tool. The service we have received is of a high quality due to the Team’s attention to detail, proactiveness and implementation of enhancement requests from the dev side. The Board is also impressed with the tool and is looking to complete an organisation-wide implementation soon. We will definitely recommend other charity contacts to use the tool, as it is well priced and comes with excellent customer service.
Masonic Charitable Foundation
contact US

Let us help you

Let us help you in your compliance journey by completing the form and letting us know how we can best support you.