Information Security Policies for PCI-DSS V3

The PCI Security Standards Council just released Version 3.0 of the Payment Card Industry Data Security Standard (PCI-DSS), the set of requirements for protecting credit card data.  The update had some significant changes, including a greater focus on third-party information security.

There are many articles describing the new changes to PCI-DSS V3, including a nice summary of changes from the Council, so we won’t duplicate that effort here.  For our purposes, we wanted to look at the implications for information security policy development, so we will focus our analysis on Requirement 12:  Maintain and Information Security Policy.

Requirement 12 – A misnomer

First, Requirement 12 “Maintain an Information Security Policy” is essentially misnamed.  While it does outline the specific requirements of written information security policies (12.1), it should really be named “Maintain an Information Security Program” – since it covers all of the organizational aspects of information security, including risk assessments, personnel security, and third-party security.  Unfortunately, this name carried forward to the new update.

This confusing name just adds to the overall global confusion regarding security compliance and security policy.  Customers met with these requirement go looking for a single “information security policy” – when in fact what they need is a SET of information security policies and procedures that document their information security program.

PCI-DSS Information Security Policy Requirements

PCI has always been a strange standard compared with other outlines like ISO 27002 or NIST.  While the PCI recommendations go into specific detail in areas like firewall management and configuration (what we might refer to as a “standard” or even technical configurations), requirement 12 makes much higher-level statements about security policy.

12.1 Changes – Security Policies Moved

One of the key PCI-DSS requirements is that the organization have written security policies and procedures that cover each of the security categories.   But now they say it a bit differently.

One of the major changes in the outline was to take the previous requirement (12.1) to have written policies and procedures and spread it out into the various topic sections.  So rather than saying you must “have policies and procedures that cover the PCI-DSS topics” it simply adds that requirement at the end of each section (physical security, access control, etc.)  This is more in line with the NIST SP 800-53 approach.  But it adds little in the way of guidance or clarity.   This approach also seems to leave out the requirements to document the previous 11 categories of the standard, which is clearly not the case.

PCI-DSS Information Security Policies in 4 Steps

So what DOES PCI-DSS V3 really say about Information Security Policy?   Let us try to summarize in four basic steps:

1. Written security policies should document the overall structure of your information security program, (as such, written information security policies are key pieces of evidence for auditors and assessors seeking to validate your program)

2. You must have written information security policies and procedures that cover all of the control categories of your security program.  (Access control, physical security, personnel security, incident response, etc.) (12.1)

3. Like your program, information security policies must be reviewed and updated to reflect changes in your program and security environment, (12.2)

4. Your written policies should be distributed to the key personnel that need to follow them. (12.1)

Not surprisingly, this is what ISO 27002 says about written policies (5.1) and HIPAA says about information security policy.  Did we need another standard with another numbering system?  We’ll let you be the judge of that.

The bottom line is that these are the core components of any effective information security policy program.  If your organization adopts these best practices, then addressing the specific requirements of different regulations will basically fall into place.

About Information Shield

Information Shield publishes the leading library of information security policy templates, including Information Security Policies Made Easy.   Our products allow organizations to quickly document their information security program for compliance with regulations and frameworks including PCI-DSS, HIPAA, NIST, ISO 27002 and CoBIT.