PCI Requirement 3, “Protect Stored Cardholder Data” requires merchants and service providers to do just that – protect cardholder data – which ultimately means having in place a number of required procedures, along with numerous PCI policies and procedures for the following areas:

•    Policies and procedures for data retention and disposal.
•    Written policies for displaying the Primary Account Number (PAN).
•    Comprehensive key management procedures.

PCI Policies and Procedures are Critically Important for Requirement 3 | Order Today
Organizations quickly realize that the time and effort required in developing PCI policies and procedures for Requirement 3 can be quite extensive. The reason for this is that these specific policy and procedure requirements are not easy to produce as they take time in understanding how to develop documentation that is correct in grammar, content, and that it covers all essential items.  A data retention and disposal policy needs to include a number of items for it to be considered a worthy and credible document. The same can be said for having documented PCI compliance policies for displaying and protecting the Primary Account Number, known as the PAN. Similarly, key management procedures used for encryption of cardholder data must address the following laundry list of requirements for ensuring further compliance with the Payment Card Industry (PCI) Data Security Standards (DSS) Initiatives:

•    Generation of strong keys, secure key distribution, secure key storage
•    Periodic key changes at least annually and the retirement of old keys (for example: archiving, destruction, and revocation as applicable).
•    The replacement of known or suspected compromised keys.
•    Split knowledge and dual control of keys (for example, requiring two or three people, each knowing only their own part of the key, to reconstruct the whole key.  Additionally, the prevention of unauthorized substitution of keys.
•    Require key custodians to sign a form specifying that they understand and accept their key custodian responsibilities.

PCI Policies and Procedures for SAQ A – D, P2PE-HW, and Onsite Assessments | Order Today
There’s no need to spend any time developing your own PCI policies and procedures – pcipolicyportal.com has done all the hard work – as we’ve developed policy documentation specific to each of the following PCI DSS reporting requirements:

•    SAQ A for Merchants
•    SAQ B for Merchants
•    SAQ C for Merchants
•    SAQ C-VT for Merchants
•    SAQ D for Merchants and Service Providers
•    SAQ P2PE-HW for Merchants
•    Onsite Assessments by PCI-QSA for Merchants and Service Providers

Purchase and immediately download your PCI Policies Packet today for SAQ A, B, C, C-VT, D, P2PE-HW, and Level 1 onsite assessments.

Policy and Procedure Writing Experts | Join us for Free PCI Webinars | Learn More
You get exactly what’s needed with PCI policies and procedures mapped directly to each of the above reporting requirements. Trust pcipolicyportal.com for all your PCI policies and procedures, and assessment services.  Learn more about our policy and procedure writing services, the PCI certification process for both the Self-Assessment Questionnaires (SAQ A – D), and Level 1 onsite assessments and the importance of PCI policies and procedures for compliance. Additionally, pcipolicyportal.com also provides free webinars for learning more about the Payment Card Industry Data Security Standards (PCI DSS).

Close Menu
Do NOT follow this link or you will be banned from the site!