Procedures

Procedures explain exactly how you maintain card processing operations and are an incredibly important resource for people involved in your card processing operations.


Procedure templates have been written from real-world cases. This ensures they are easily customisable to your specific technology arrangements.


policies that cross reference against the full PCI Data Security Standard Written Procedures to support policies Documentation for all aspects of card processing operations

Procedures

Sitting just below policies in the document hierarchy are Procedures. Whereas policies state your organisation’s stance on aspects of its card processing operations, procedures show how you go about achieving these aims.

Of the documents that are contained in our policy pack, it is normally the procedures that you will need to spend most time customising. The procedures are quite specific to your organisation’s approach to handling card data. We appreciate this and – rather than be prescriptive – we have provided actual examples to demonstrate the level of detail that you should be working to and some real life examples that might apply to your particular arrangements.

Example procedures include:

Procedure Control Log
A log of all Procedures documented as part of the PCI DSS compliance activities.

Log Retention Procedure
To enable determination of the retention periods for various logs that are either generated through an automated process or manually triggered, and stored in any type of media either locally or across the network.

Logical Access Procedure
To safeguard information and computing resources from various threats, to protect them from unauthorized modification, disclosure or destruction and to ensure that information remains accurate, confidential, and is available when required.

Anti Virus & Malicious Software Procedure
To provide instructions on measures that must be taken to help achieve effective virus detection and prevention.

Change Control Procedure
To ensure that changes are authorised and there is structured process for effecting the required changes with minimum or no disruption to the business and their clients.

Backup Procedure
To ensure that essential business information is backed up and is recoverable for restoring the business operation.

Firewall & Router Security Procedure
This procedure relates to measures taken to ensure the security and integrity of all firewall installations within the cardholder data environment and prevent disclosure of sensitive information from the network.

Incident Management Procedure
To ensure all suspected information security incidents are reported promptly to Management and that the correct procedures are quickly established to respond appropriately to security incidents.

Physical Security Procedure
This document details the procedures used to ensure physical access to the cardholder data environment is appropriately secured and monitored.

Data Retention Procedure
To ensure that all documents are retained in an appropriate manner such that they are available for use as required, stored securely so that only authorised staff can access them, and destroyed after a specified time period to comply with Data Protection legislation.

 

Additional Information

  • Hierarchical. Procedures link directly with top level policies and supporting forms.
  • Concise. As PCI auditors we expect to see regularly accessed and maintained documentation. Documentation has been designed with this in mind.
  • Uses real-world examples to assist customisation to your particular technology arrangements.
  • Extensive usage. Procedures have been developed to cover all operational aspects of the PCI Data Security Standard.

2010© Ambersail Ltd