PCI Mandatory Documents

Ben Pournader
1 min readJul 27, 2018

List of all documents that we have to prepare based on PCI DSS 3.2.1:

  1. Security policy
  2. Risk assessment and risk analysis process
  3. Diagram or a documented inventory of cardholder data locations
  4. Up-to-date list of devices and system components that are in scope for PCI DSS
  5. Current network diagram that identifies all connections between the CDE and other networks
  6. Current data-flow diagram that shows all cardholder data flows across systems and networks
  7. List of services, protocols and ports that that are necessary for business
  8. Configuration standards (system hardening standards) for all system components in PCI scope
  9. Data retention and disposal policies and procedures including processes for secure deletion of data when no longer needed
  10. Business recovery and continuity procedures and data backup processes
  11. Documented process for testing and approval of changes to firewall and router configurations
  12. Description of roles and assignment of responsibilities about security of network devices
  13. Procedures to manage and protect keys used to secure stored cardholder data
  14. Authentication policies and procedures
  15. Processes to test for the presence of wireless access points
  16. Incident response procedures in the event unauthorized wireless access points are detected
  17. A process to respond to any alerts generated by the change-detection solution (like FIM)
  18. Usage policies for critical technologies and define proper use of these technologies
  19. Incident response plan



Ben Pournader

Information Security Expert, Cyber Security Engineer, Blogger, Mentor, PCI SME, CISM, CGEIT, CISA, CRISC, RHCSA, MCSE, CCNA, MBA, PMP, CLSSGB