The Best Ways to Maintain Your Organization's PCI DSS Documentation

Becoming compliant with payment card industry data security standard (PCI DSS) protocols can be a time-consuming process — but it’s a non-negotiable security standard required of merchants and other organizations that handle payments card data.

Even when taking a phased approach to achieving compliance by gradually completing the six milestones, it’s quite a feat that requires heavy documentation along the way.

Documentation is crucial to ensuring that your compliance controls are defined, effective, communicated, and available for your annual validation. However, many organizations develop documentation and file it away without integrating it into their actual day-to-day working environment. 

It would be a waste to build out all these time-consuming policies, processes, procedures, and standards only to have them exist on paper alone. It is also a major obstacle to maintaining and validating compliance.

Get real value from your compliance efforts by using what you develop in your PCI DSS journey to your full advantage:

1. Understand the difference between policies, processes, procedures, and standards

After you’ve completed the PCI Security Standards Council’s first five steps to achieving compliance, you’ll find that the sixth milestone requires you to “to finalize all remaining related policies, procedures, and processes needed to protect the cardholder data environment.”

PCI SSC Milestones




Remove sensitive authentication data and limit data retention. This milestone targets a key area of risk for entities that have been compromised. Remember — if sensitive authentication data and other cardholder data are not stored, the effects of a compromise will be greatly reduced. If you don't need it, don't store it.


Protect systems and networks, and be prepared to respond to a system breach. This milestone targets controls for points of access to most compromises and the processes for responding.


Secure payment card applications. This milestone targets controls for applications, application processes, and application servers. Weaknesses in these areas offer easy prey for compromising systems and obtaining access to cardholder data.


Monitor and control access to your systems. Controls for this milestone allow you to detect the who, what, when, and how concerning who is accessing your network and cardholder data environment. 


Protect stored cardholder data. For those organizations that have analyzed their business processes and determined that they must be primary account numbers, milestone five targets key protection mechanisms for that stored data.


Finalize remaining compliance efforts and ensure all controls are in place. The intent of milestone six is to complete PCI DSS requirements and finalize all remaining related policies, procedures, and processes needed to protect the cardholder data environment.


  1. Remove sensitive authentication data and limit data retention. 
  2. Protect systems and networks, and be prepared to respond to a system breach. 
  3. Secure payment card applications.
  4. Monitor and control access to your systems. 
  5. Protect stored cardholder data.
  6. Finalize remaining compliance efforts, and ensure all controls are in place.

However, many organizations struggle to distinguish the difference between policies, process, procedures, and standards because they all sound quite similar without proper context.

To understand the difference between these four terms, we like to use an analogy based on the way the Transportation Security Administration (TSA) secures commercial airports. When going through security screening at the airport, each concept can be compared as the following:


The main policy is that dangerous objects and substances should be kept off of air flights. But there are then more granular policies such as the separation of people that have been screened from those that have not, or that everybody must go through security even if they are staff. Think of policy as the big rules that describe how you want the world to be. 


Next, the TSA has a process that implements their policy to keep unscreened individuals separated from screened passengers. This process involves fences around the airfield, physical chokepoints that passengers must pass through to get to the gates, and the structured lineup and screening itself before accessing their gate. These are all components of the process of how the policy is implemented — but only one part is a procedure.


The TSA established a specific procedure for screening at the security checkpoints. These are the steps a flyer must take before being granted admittance to the gates. 

This procedure involves standing in line, showing an officer a flight ticket, presenting a legal form of ID to be scanned, taking off shoes, placing electronics in a separate screening bin, and more. Without following this procedure, an individual cannot fly. 


Not only do flyers need to follow a set procedure, but there are rules around what they can and cannot take through the security screening. These are the TSA’s standards. 

For instance, not exceeding a specific measurement of fluids in a carry-on bag, not flying with predefined weapons, not having any drinks in carry-ons, etc. are all standards to support their procedure.

2. Make your policy concise

The purpose of documentation is to lay the groundwork for your processes, procedures, and standards. But nobody will read (or follow) your processes, procedures, and standards if they have to comb through binder after binder of pages. 

Ensure that your policy can be realistically enforced by making it short and to-the-point. If it looks intimidating to review, it probably won’t be reviewed — and your company won’t gain the benefit of the policy.

3. Communicate the contents of your policy

Even if you make your policy as concise as possible, it still needs to be read and put into practice. While those who collaborated to create the policy may know the details, everyone else has to catch up. 

Because of this, not only should you have the policy clearly documented and approved, it must also be communicated to the staff and all involved parties that need to comply with it.  Affected parties should review the policy and sign to confirm their understanding on hire, annually, and any time it changes.

4. Regularly review and update your policy

Becoming PCI DSS compliant isn’t a once-and-done affair. You must revisit your policy annually or after any significant change to your organization to ensure it’s continually meeting all twelve PCI DSS requirements and sub-requirements in the face of changing business operations and requirements, technology innovation, and the evolving threat landscape.

In order to ensure your policy is reviewed and updated when necessary, it’s important for you to assign an owner who is responsible for performing that task. 

This individual should review the detailed list of the PCI Security Standards Council’s requirements or coordinate with a knowledgeable third-party to conduct a regular check for sufficiency.

Your policy is an essential tool — not simply a compliance checkmark

Good policies and procedures will help you to run your organization well, they must not simply be a checkbox for compliance.The Truvantis team offers a full range of services to help you to achieve and validate your PCI DSS compliance, including:

  • PCI DSS compliance consulting
  • Report on compliance (ROC)
  • Penetration testing
  • Vulnerability assessments 
  • Code review
  • Staff training
  • Risk assessments
  • Incident response planning
  • Policy and procedure writing
  • Architectural consulting
  • And more

We’re a qualified security assessor (QSA) — a true partner, passionate about helping you to leverage compliance to achieve your goals. Explore our PCI DSS services today.

Related Articles By Topic


Contact Us
Chat with our team about your PCI DSS compliance program.
Schedule a call
Contact Us