PCI Mandatory Documents

List of all documents that we have to prepare based on PCI DSS 3.2.1:

1. Security policy
2. Risk assessment and risk analysis process
3. Diagram or a documented inventory of cardholder data locations
4. Up-to-date list of devices and system components that are in scope for PCI DSS
5. Current network diagram that identifies all connections between the CDE and other networks
6. Current data-flow diagram that shows all cardholder data flows across systems and networks
7. List of services, protocols and ports that that are necessary for business
8. Configuration standards (system hardening standards) for all system components in PCI scope
9. Data retention and disposal policies and procedures including processes for secure deletion of data when no longer needed
10. Business recovery and continuity procedures and data backup processes
11. Documented process for testing and approval of changes to firewall and router configurations
12. Description of roles and assignment of responsibilities about security of network devices
13. Procedures to manage and protect keys used to secure stored cardholder data
14. Authentication policies and procedures
15. Processes to test for the presence of wireless access points
16. Incident response procedures in the event unauthorized wireless access points are detected
17. A process to respond to any alerts generated by the change-detection solution (like FIM)
18. Usage policies for critical technologies and define proper use of these technologies
19. Incident response plan