The Payment Card Industry Data Security Standards (or PCI DSS) provide comprehensive security guidelines for merchants who process, store, or transmit credit card data. Noncompliance with this industry-created, industry-maintained regulation can lead to fines or even the loss of credit card processing capabilities.

For many merchants, the real costs stem from getting in compliance – the time and money spent making sure that you have the right security infrastructure in place, that your systems meet all the necessary requirements, and that you have the documentation to demonstrate your efforts. Those costs can differ dramatically, depending on a merchant’s size and circumstances.

PCI Documentation can seem like a long, painstaking process for many merchants and service providers. Many that I work with describe it as “staring at a mountain of policy documents and not knowing where to start climbing.” But, before you figure out how to climb the documentation mountain, it’s important to identify the various types of informational documents and tasks you’re going to be required to document.

3 Types of Documents You Need for PCI Compliance

The first step to compiling effective PCI documentation is to define the various types of documents you will need to record. Here are three that will be important to consider:

1. Policy.

Policies define what you do when it comes to PCI compliance. For example, “All stored sensitive data shall be encrypted.” Policies are management instructions indicating a predetermined course of action, or a way to handle a problem or situation.  Defining policy is typically the responsibility of management since they are more familiar with compliance obligations and executive directives. As a manager, you might choose to assign team members the task of composing the documents, but it’s up to you to provide direction and approval for policy content.

2. Standards.

Standards define what is required to maintain the policy. For example, “all encrypted data shall be encrypted with AES 256 bit encryption keys.” Standards are mandatory directives to carry out management’s policies and are used to measure compliance with policies. The PCI Security Standards differ for various types and sizes of organizations, so it’s important to know and document which standards are required for your business.

3. Procedures. 

Procedures define how you apply the PCI requirement. For example, “In order to meet the standard, we must 1) create encryption key, 2) install key into application, 3) execute encryption process, and so forth.” Procedures are designed as a series of steps to be followed as a consistent and repetitive approach or cycle to accomplish an end result. They provide a helpful window into how tasks are carried out and may reveal potential lapses in compliance.

3 Types of Tasks You’ll Want to Document 

Once you understand the various types of documents required for PCI compliance, the next step is to identify all the various tasks that will be defined in your procedures. To simplify things, I often encourage clients to place tasks in one of three primary buckets.

1. Critical tasks.

These are the most common types of tasks organizations already have documented. Critical tasks include things like backup and recovery, configuration or build procedures, and incident response. These are the tasks you want to document to be sure you don’t miss a step that will get you or your team in trouble!

2. Regular tasks. 

These are the tasks that might lead you to think,I do it every day, so why do I need to document it?” However, it’s important to remember that documentation is not just for you. If you leave your company or are unavailable, the task doesn’t just go away. One of your colleagues or a new hire might have to step in and do it. Documenting regular tasks helps prevent a lot of clean-up work that otherwise could have been prevented.

3. Rare tasks. 

These are the tasks you dread because they don’t come up often, but, when they do, you know it’s going to take some effort to recall how you did it the last time. These typically involve rarely used systems or stable applications that don’t need much care and feeding. Oftentimes, it’s a manual task. This is why I encourage clients to document the task while you’re at it. If you wait until later, you might forget some details that will be important the next time it comes around.

3 Key Ways to Reduce PCI Compliance Cost

1. Explore opportunities for segmentation

The PCI DSS applies to all of your systems that handle credit card information. But most merchants may have many systems that never touch card data: building management systems, for example. If these other systems are properly walled-off (or “segmented”) from the payments-handling systems, they can be free from the PCI compliance regulations. For many merchants, segmentation can help limit the scope of PCI security measures and expenditures. A word of warning, though. Sometimes, it just makes sense for your payment processes and other systems to coexist – if you have a smaller business with a limited number of computers, for example. Careful case-by-case evaluation is the best way to determine whether segmentation makes sense for you.

2. Work with security partners

For large-scale merchants with complex systems, the cost of compliance can be high simply because of the scope of their operation. These medium-to-large businesses are often well-served by transferring some of the security responsibilities to a third-party firm. For example, a managed security solution from a security provider can help facilitate constant monitoring and rapid response to network intrusions for less than it would cost to achieve these same goals using highly-compensated internal resources. In the course of getting a Report on Compliance (or RoC) to demonstrate PCI compliance to an acquiring bank, many businesses will have already worked with a Qualified Security Assessor.

A Qualified Security Assessor is a third-party security organization like LBMC that has been vetted and certified as third-party auditors by the PCI Security Standards Council. What many businesses don’t know is that a QSA – which may already be familiar with your security operations and needs – is allowed to provide additional security services as well, such as penetration testing and managed security solutions. A third-party organization can’t take on 100% of your PCI responsibility. You still have to verify and be able to demonstrate compliance. But you can leverage their expertise to implement more cost-effective, customized solutions and reduce your burden.

3. Compensating controls

While larger organizations may have to deal with a larger system scope, smaller organizations face their own challenges. Often, small businesses have less money to use on security solutions. Accordingly, the PCI DSS includes a specification that allows “compensating controls” to be used in place of the standard rules (also known as “controls”). This specification allows you to look at what a given control is trying to accomplish. Is it protecting card data? Core systems?

The “compensating control” specification allows you to implement a different solution to achieve the same objective as the original control. Often, these compensating controls represent cheaper or less invasive alternatives. There is no universal rule or situation when compensating controls would apply – each situation is unique to each merchant and should be considered independently.

With that said, a QSA is in the best position to help an organization identify and document an appropriate compensating control when the organization realizes that there is a particular PCI control that it cannot meet. If you are struggling with implementing or maintaining certain PCI controls due to cost or limitations within your technical environment, staffing model, or business applications, consider working with a QSA to identify a more reasonable alternative.

Take the First Step Toward PCI Compliance

PCI Documentation is a critical step in raising your security profile and reducing the likelihood of an attack. If your business stores, processes, or transmits credit card data, you’re responsible for compliance with PCI DSS.