Professional Documents
Culture Documents
DOCUMENT CONTROL
VERSION: 1.0
DATE: DD MMM YYYY
Contents
How to use this document.................................................................................................................................3
Introduction.......................................................................................................................................................4
Information Security Policy Statements.............................................................................................................4
Protecting Payment Card Data.......................................................................................................................5
Scope..............................................................................................................................................................5
Responsibilities...............................................................................................................................................6
The Six Goals of the PCI DSS...............................................................................................................................7
Goal 1 – Build and Maintain a Secure Network and Systems......................................................................7
Goal 2 – Protect Cardholder Data...............................................................................................................7
Goal 3 - Maintain a Vulnerability Management Program...........................................................................7
Goal 4 - Implement Strong Access Control Measures.................................................................................8
Goal 5 - Regularly Monitor and Test Networks...........................................................................................9
Goal 6 - Maintain an Information Security Policy........................................................................................9
Appendices.......................................................................................................................................................11
Appendix A – Agreement to Comply Form...................................................................................................11
Appendix B - Inspection of card reading devices for tampering or substitution...........................................12
Appendix C - Example Incident Response Plan.............................................................................................13
2 of 15
How to use this document
Step 1 – Introduction, Scope and Responsibilities
Read the introductory material so you understand what you need to do. Input your company name where
needed. This section defines the objectives and scope and may require items to be assigned.
Step 2 – PCI Goals
Work your way through the goals section of the document. Each goal has introductory information so you
understand what it is about, then a set of policy statements.
An 'Applicable to SAQ' column may be used to indicate the SAQs a policy statement is relevant to. Those
policies with a for your SAQ type are applicable to your business. If the 'Applicable to SAQ' column is
not shown, then all policy statements should be considered relevant.
Step 3 - Share throughout your business
Once you are satisfied the policy meets your needs to achieve the objectives of the PCI DSS, you now need to
share with the people in your business. You must ask anyone who has access to or could affect the security
of payment card data and/or your Cardholder Data Environment to read the policy. This applies to both staff
and third parties. They then need to sign and date a copy of the agreement to comply form (See Appendix
A). You need to keep a record of this consent.
Step 4 – Ongoing
You need to make sure the policy is accessible and available for reference if/when required. Keep a copy of
the policy on your business premises at all times.
Make sure your security measures, processes and operating procedures fulfil the policy statements and that
these are implemented or adhered to consistently. Remember to update the policy if you make any changes
to your business processes or how you accept or handle payment card data in the future so the policies
remain appropriate for the protection of payment card data and your business.
3 of 15
Introduction
This document defines the information security policy for [Company] on:
The acceptance and processing of card payments
The handling of payment card data (cardholder data and sensitive authentication data)
The use of our networks and systems transmitting, processing and/or storing such data
Definitions for terms used in this policy can be found in this Glossary.
Based on your answers to the profile questions about how you accept card payments your business has been
deemed eligible for Self-Assessment Questionnaire (SAQ) P2PE. To save you valuable time and effort, the
standard Information Security Policy has been tailored to suit the needs of SAQ P2PE eligible businesses.
This Information Security Policy includes policy statements and requirements as required by the Payment
Card Industry Data Security Standard (PCI DSS) and has been developed to be appropriate for merchant
businesses processing card payments via:
Hardware payment terminals included in a validated and PCI-listed Point-to-Point Encryption (P2PE)
solution.
If your business accepts or processes customer card data in other ways, this information security policy must
be reviewed and updated to include additional, appropriate statements that will ensure the protection and
confidentiality of payment card data in line with the PCI DSS requirements applicable to those additional
activities.
This policy aims to address all relevant PCI DSS policy requirements and obligations to ensure the protection
and confidentiality of payment card data, and is structured around the six goals of the PCI DSS v3.2.1.
Security policies and operational procedures for storing, processing or transmitting payment card data must
be documented, in use, and known to all affected parties.
4 of 15
Note on Information Security Policy coverage
Although statements on Information Security Policy have been included in this policy document, this policy is
not intended to encompass all aspects of information security in relation to the preservation of the
confidentiality, integrity and availability of sensitive, personal or confidential information belonging to
[Company] staff, customers, clients or third party providers. Nor does this Policy address all potentially
relevant legislative, regulatory and standards requirements that may apply to the business.
Businesses must therefore also define, update and disseminate an Information Security Policy that sets out
their specific information security objectives and policies for achieving those objectives.
This Policy must be distributed to all personnel. All personnel must read this document in its entirety and
sign a copy of the ‘Agreement to Comply’ form (shown in Appendix A) confirming they have read and
understand this policy fully.
Scope
The goals described in this Information Security Policy apply to the physical locations/areas, payment
terminals, media, processes and people in the environment(s) where the Company accepts, stores,
processes or transmits cardholder data (our Cardholder Data Environment).
5 of 15
This policy applies to all personnel, including employees, contractors and third-parties resident’ on the
Company’s site(s), who have access to or can affect the security of cardholder data and/or the Cardholder
Data Environment (CDE).
Responsibilities
All personnel must comply with these information security policies.
[Company business owner / senior management, edit as appropriate for your business] must ensure that
personnel who have access to, or can affect the security of, payment card data and/or the CDE understand
their role and their responsibility to adhere to the policies set out in this document, as applicable to their
role.
[Company business owner / senior management, edit as appropriate for your business] shall ensure that
relevant procedures are created and maintained to ensure that these information security policies are
unambiguous, implemented effectively and adhered to consistently.
[Company business owner / senior management, edit as appropriate for your business] shall ensure that this
document is reviewed at least annually and whenever the environment changes, for example when security
risks, technologies or business circumstances change. The information security policy must be updated to
ensure policy statements remain appropriate for the protection of payment card data and re-distributed it
all personnel, as applicable.
6 of 15
The Six Goals of the PCI DSS
The PCI DSS was developed to encourage and enhance cardholder data security and designed to facilitate
the adoption of a consistent set of data security measures globally. There are twelve requirements which
follow six goals. This security policy highlights the six goals.
7 of 15
Goal 3 - Maintain a Vulnerability Management Program
PCI DSS Goal 3 is about protecting systems against malware and developing secure systems and applications.
All systems must have appropriate software patches to protect against the exploitation and compromise of
cardholder data. Vulnerabilities should be fixed by patches released by vendors and must be installed by the
entities that manage them.
There are no Goal 3 policy statements applicable for SAQ P2PE eligible merchants.
8 of 15
Goal 4 - Implement Strong Access Control Measures
All personnel at points of sale and /or that use the card reading devices shall be trained to be aware of
attempted tampering or replacement of devices. This training must include their responsibility to:
Verify the identity of any third-party persons claiming to be repair or maintenance personnel, prior to
granting them access to modify or troubleshoot POS devices.
Not to allow anyone to install, replace, or return devices without verification (for example, on the basis
of prior notification by the device provider, acquirer, or equivalent)
Be aware of suspicious behaviour around POS devices (for example, attempts by unknown persons to
unplug or open devices).
Report suspicious behaviour and indications of POS device tampering or substitution to appropriate
personnel (for example, to a manager or security officer) [9.9.3]
Security policies and operational procedures for restricting physical access to cardholder data and
protecting card reading devices, as per policy statements above, shall be documented, used by and known
to all affected parties [9.10]
9 of 15
Goal 6 - Maintain an Information Security Policy
There must be a written agreement or acknowledgment from each service provider, with access to or
could impact the security of cardholder data, confirming that they are aware of and accept their
responsibilities for the security of cardholder data [12.8.2]
A process to vet potential suppliers or service providers must be established. Proper due diligence, to
evaluate the suitability of a potential service provide, must be exercised before engaging with any third
party that may affect the security of business’s cardholder data environment, card payment processing or
handling of payment card data [12.8.3]
Service providers’ compliance with the PCI DSS shall be monitored and checked at least annually [12.8.4].
The services delivered by service providers must be compliant with the applicable PCI DSS requirements
For each service provider, maintain a record or documentation that makes clear which PCI DSS
requirements are managed by the service provider and which will be the responsibility of the business
[12.8.5]. If appropriate, map out these responsibilities in a matrix (or table) detailing what specific PCI DSS
responsibilities are assigned to whom as part of the agreement or service contract. There may also be PCI
DSS requirements that are a shared responsibility.
In preparation to respond immediately to a system breach, an incident response plan must be
implemented as follows [12.10]
An incident response plan must be created to be implemented in the event of a system breach. [12.10.1]
The incident response plan sets out the steps to be taken to respond immediately to a security incident or
data breach. See Appendix C for an example
10 of 15
Appendices
Appendix A – Agreement to Comply Form
Agreement to Comply with Information Security Policies
I, the undersigned, agree to take all reasonable precautions to assure that [Company] information which has
been entrusted to [Company] by third parties and customers, will not be disclosed to unauthorised persons. I
understand that I am not authorised to use this information for my own purposes.
I confirm that I have read, understood and agree to abide by this policy and any associated procedures. I
understand that any non-compliance with this policy may be a cause for disciplinary action up to and
including dismissal from [Company].
____________________________________________________ ___________________
Employee Name (Print) and signature Date
11 of 15
Appendix B - Inspection of card reading devices for tampering or
substitution
Example Device Inventory
Location Make Model Device Serial No. / Unique Identifier
12 of 15
Appendix C - Example Incident Response Plan
This Incident Response Plan is provided as an Example and Template to be used to create a bespoke
Security Incident Response Plan for your business. It includes common good practice and industry
recommended steps for incident reporting and response.
What you need to do
Review this plan and update it with details specific to your business.
Include the names of the individuals assigned responsibility for actions within the plan
Include internal and external contact information specific to your business and its operations
Update the plan to address any incident types and actions that are specific to your business
Security incidents must be managed in an efficient and time effective manner to make sure that the impact
of an incident is contained and the consequences for both the business and for customers are limited.
This Appendix sets out the [Company] plan for reporting and dealing with security incidents relating
Security incident response team members and contacts in the absence of the primary contact:
Job Title/Role Contact Name Contact Telephone Contact Email
[INSERT DETAILS] [INSERT DETAILS] [INSERT DETAILS] [INSERT DETAILS]
The incident response primary contact (or security incident response team members in the absence of the
primary contact) is responsible for:
13 of 15
Making sure that all relevant staff understand how to identify and report a suspected or actual
security incident.
Leading the investigation of each reported incident.
Taking action to limit the exposure of sensitive or payment card data to reduce the risks that may be
associated with any incident.
Gathering evidence and any related information from various security measures and controls, such
as CCTV recordings or firewall/router logs.
Documenting each incident and all activities undertaken in response to an incident.
Reporting each security incident and findings to the appropriate parties. This may include your
acquirer, card brands, business partners, customers, etc.
Resolving each incident to the satisfaction of all stakeholders, including any external parties.
Initiating follow-up actions to reduce the likelihood of recurrence, as appropriate.
All personnel are responsible for:
Making sure that they understand how to identify and report a suspected or actual security incident
Reporting a suspected or actual security incident without undue delay to the incident response
primary contact, or to another member of the security incident response team.
External Contacts
External Party Contact Name (if known) Email Telephone
Report
1. Any information security incidents must be reported, without undue delay, to the incident primary
contact or to another member of the security incident response team.
14 of 15
In the event that a security incident or data breach is suspected to have occurred, the staff member
should discuss their concerns with their line manager, who in turn may raise the issue with the
primary contact or another member of the security incident response team.
Investigate
2. After being notified of a security incident, the security incident primary contact † will commence
investigation and determine the appropriate response.
3. The security incident primary contact † will initiate actions to limit the exposure of payment card data
and mitigating any risks associated with the incident.
Inform
4. The security incident primary contact † will contact the Acquirer.
5. The security incident primary contact † will follow the Acquirer’s advice to ensure the security of all
future card payments is followed.
6. Depending on the severity of the incident, the security incident primary contact † may also contact
local law enforcement, and other parties that may be affected by the security incident such as
customers, business partners or suppliers.
Resolve
7. The security incident primary contact † will liaise with the Acquirer, and other external parties as
applicable, to ensure investigate the incident and gather evidence, as is required.
8. The security incident primary contact † will take action to investigate and resolve the problem to the
satisfaction of the Acquirer, and other parties and stakeholders involved.
Recovery
9. The security incident primary contact will authorise a return to normal operations once satisfactory
resolution is confirmed.
10. Normal operations must adopt any updated processes or security measures identified and
implemented as part of resolution of the incident.
Review
11. The security incident primary contact will complete a post-incident review. The review will consider
how the incident occurred, what the root causes were and how well the incident was handled. This
is to help identify recommendations for better future responses and to avoid a similar incident in the
future.
12. The security incident response primary contact will ensure that the required updates and changes
are adopted or implemented as necessary.
†
or another member of the security incident response team in the primary contact’s absence
15 of 15