PCI policy and procedures documents are extremely critical in achieving Payment Card Industry (PCI) compliance. How critical? Enough that an entire requirement for PCI is dedicated to developing an information security program. In fact, requirement 12: Maintain a policy that addresses information security for employees and contractors, requires just that, developing these policies and procedures.
But hold on, it is much more than just PCI DSS Requirement 12; there are a number of other areas sprinkled throughout the PCI DSS requirement that “require” documented policies and procedures on a wide array of items. News to you? Maybe, maybe not. Either way, writing these PCI policy and procedures documents take time, alot of time.
Add to the fact that because every organization is different, you can not simply stamp on a one size fits all approach; it does not work that way. You need to spend time customizing the policy and procedures document so they fit your organization’s needs.
Sure, you can start with some broad based themes and templates, but you will really have to roll your sleeves up to grind out the details in achieving the true “spirit” of these documents.