PCI Mandatory Documents

  1. Security policy
  2. Risk assessment and risk analysis process
  3. Diagram or a documented inventory of cardholder data locations
  4. Up-to-date list of devices and system components that are in scope for PCI DSS
  5. Current network diagram that identifies all connections between the CDE and other networks
  6. Current data-flow diagram that shows all cardholder data flows across systems and networks
  7. List of services, protocols and ports that that are necessary for business
  8. Configuration standards (system hardening standards) for all system components in PCI scope
  9. Data retention and disposal policies and procedures including processes for secure deletion of data when no longer needed
  10. Business recovery and continuity procedures and data backup processes
  11. Documented process for testing and approval of changes to firewall and router configurations
  12. Description of roles and assignment of responsibilities about security of network devices
  13. Procedures to manage and protect keys used to secure stored cardholder data
  14. Authentication policies and procedures
  15. Processes to test for the presence of wireless access points
  16. Incident response procedures in the event unauthorized wireless access points are detected
  17. A process to respond to any alerts generated by the change-detection solution (like FIM)
  18. Usage policies for critical technologies and define proper use of these technologies
  19. Incident response plan

--

--

--

Information Security Expert, Cyber Security Engineer, Blogger, Mentor, PCI SME, CISM, CISA, CRISC, RHCSA, MCSE, CCNA, MBA, PMP, CLSSGB

Love podcasts or audiobooks? Learn on the go with our new app.

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
Ben Pournader

Ben Pournader

Information Security Expert, Cyber Security Engineer, Blogger, Mentor, PCI SME, CISM, CISA, CRISC, RHCSA, MCSE, CCNA, MBA, PMP, CLSSGB

More from Medium

Build Your First Pypi Package

Empower your business processes automation low-code capabilities

Creative with data: Obsessions With Vert — by Bart Smeets

Exemption Certificates are Simple