Are you a merchant or service provider having to comply with the Payment Card Industry Data Security Standards v1.2, commonly known as PCI DSS? If so, take a page out of a QSA’s play book for helping you prepare for a PCI DSS assessment. While we as QSA’s often talk about and spend much time on I.T. security and network issues, such as firewalls, routers, switches, and other hardware/devices/and technology utilities, let me bring your attention to an often overlooked area. Policies and procedures. That’s right-at the heart of any successful PCI DSS assessment are the development of policies and procedures that are detailed, current, relevant, and represent an actual “representation” of your organization’s control environment. How important are they? Important enough that there is an entire section of the PCI DSS requirements, known as “Maintain an Information Security Policy” is dedicated to policies and procedures. What’s more, sprinkled throughout various other sections of the PCI DSS requirements are more calls for policies and procedures. Thus, its paramount that you tackle this arduous and time consuming task as soon as possible. Don’t have a good PP writer on board-then contract it out to a PCI QSA firm that has experience in developing policies and procedures for your organization.