PCI DSS compliance can be considered a costly, time consuming assessment for any merchant or service provider that has to obtain PCI DSS compliance. What many organizations fail to recognize is that within the PCI DSS standards are a slew of requirements for documents policies and procedures on a laundry list of items. While companies are typically very good at what they do from a operational and business perspective, most companies perform rather poorly when it comes to documenting what they do. It’s an inherent weakness that I, as a PCI QSA assessor, see time and time again out there in the world of compliance.
Take note as documenting your policies and procedures for PCI DSS compliance can be considered a costly and time consuming affair. My recommendation, find a QSA PCI firm that has ready made templates which can be customized to your operations. Furthermore, appoint an internal employee to either develop these documented policies and procedures or work with an external PCI QSA assessor.