security policy

Guidelines on purchasing and implementing a PCI policy.

Gary Glover, CISSP
By: Gary Glover
Did you know that many businesses don’t have a written security policy at all? In the PCI DSS audits I’ve conducted, over 60% of businesses had minimal (or no) PCI policies and documentation.

SEE ALSO: Top Ten PCI Requirement Failures: Where is Your Business Struggling?

Purchasing and implementing PCI security policies is a lot like sailing. You can’t just say, “I have the wind; now I can lean back and do nothing.” You have to constantly adjust the sail to stay on track. Similarly, you can’t just install a few firewalls, add some security controls, and then be done with PCI. You need to have a PCI security policy and procedures that always adjust to new threats, Remember, you must document everything to protect your business.

SEE ALSO: 5 Commonly Overlooked PCI Security Errors

security policyCreating a PCI policy can be overwhelming, tedious, and a little expensive. Some businesses may think a PCI policy isn’t worth the cost if they have only a few employees. Others are overwhelmed by all the different types of policies (e.g. firewall policy, employee training, business continuity), and aren’t sure how much they should spend.

My point is, no matter how you feel about them, having PCI security policies is critical to protect your business’s data from online threats that evolve each day.

SEE ALSO: PCI Requirements - You're Not Done Yet!

What Kind of PCI Security Policy Should My Business Have?

Just as a business faces several types of security issues, there are many types of security policies that cover procedures for data protection, emergencies, technical problems, and more. Some include:
  • Firewall policy: shows which firewalls have been installed, how often they are updated, and who is in charge of those updates.
  • Data security policy: covers the procedures for managing and storing data online, in computers, etc.
  • Incident response policy: instructs employees on what to do in the event of a security breach, data loss, malware discovery, etc. It’s basically your company’s contingency plan.
  • Physical security policy: covers the security of the building, computers, printed media, and other electronic devices.
  • Business continuity policy: is similar to the incident response policy, but it outlines steps to keep the business running after an emergency or service outage.
  • Employee computer usage policy: shows which employees have access to servers (role-based access), what employees are and aren’t allowed to do with the computers, etc.
These are just a few examples. Each of these security policies works together to fulfill your business’ PCI compliance policy requirements.

Purchasing a PCI Security Policy

PCI policy, PCI DSSWhile it costs money to purchase a policy, it also saves a lot of time and headache when comparing
the creation of one on your own. Many data security companies offer policy packets, procedures, and templates to ease the creation of security policies. It’s up to you to decide what templates may include. Because each business is different, your individual PCI policies may need customization based on:
  • The size of your business
  • Whether you have a physical location or you work primarily online
  • How many employees need access to your data.
Package Options
Pricing depends on the vendor and policies desired. PCI security companies often sell individual policies (incident response, data security, etc.) that range from $200-$800 each. These policies are great for businesses that already have most of their required PCI security policies and just need a few updated.

Most security companies also offer a total policy package that has all policies necessary for PCI compliance, which is great for businesses new to the PCI standard. Expect to pay around $1,000 for these complete packages.


Keep in mind that when buying PCI security policies, you get what you pay for.

If you get a policy for $50, it’s a $50 policy, which probably won’t be thorough, and likely isn’t written with a QSA skillset (Qualified Security Assessors are certified experts on PCI compliance and work to help organizations identify their risks and vulnerabilities).

Here’s a listing of prices a company might offer:

PCI SAQ C Policy $100-$300
PCI SAQ D Policy $100-$300
PCI SAQ A-EP $200-$400
PCI SAQ B-IP $400-$600
PCI Policies and Procedures C $900-$1100
PCI Policies and Procedures D $900-$1100
PCI Policies and Procedures A-EP $900-$1100
PCI Policies and Procedures B-IP $900-$1100

SEE ALSO: How Much Does PCI Compliance Cost?

How Should My Business Implement PCI Security Policies and Procedures?

So, your business has a policy to direct its security actions; now it needs to implement those actions. A security policy collecting dust is useless.

To implement your security policy and procedures effectively, the mandate to adopt them needs to come from the top-down.

A project manager should have the power to say, “Everyone needs to follow these policies and procedures. If you find a problem with a policy, come talk to me and I’ll bring it up with management.”

Management needs to say, “I know this is hard, but we need to have security policies and procedures, and I want proof that you’re following these procedures.”

Companies that follow this top-down process are more successful with security and have a better experience with PCI. Companies that don’t, tend to have more internal problems and security miscommunications.

SEE ALSO: 6 Ways to Make Data Security Consistent in Your Business
PCI security policies and procedures aren’t just a quick fix; they’re really a cultural change.
Tweet: PCI security policies and procedures aren’t a quick fix: they're a cultural change. http://bit.ly/1UPEe0X #PCIDSSTweet
Implementation is impossible if policies aren’t accessible to employees. Let me give you a great example of how NOT to use a security policy within your organization. In one memorable audit, a company gave us over 200 policy documents and said, “Here’s what we have. Go through it.”

It took me a week to get through all of the material. To make things even more difficult, the documents were in different departments, so if we had questions or wanted to interview employees, we’d have to go from department to department to track down where one document came from. At the conclusion of the audit, we had to create one large PCI security policy that was accessible to all of the employees.

Spreading policy documents throughout the company makes it difficult for anybody to absorb all the material. Keep all PCI security policies together in one place. It will help your employees to actually follow the policies.

A PCI Security Policy is Important!

The key to properly using PCI policies is communication. Every team needs to have an understanding: this is what they will do, this is how they will do it, and this is how they will document it has been done. PCI security policies and procedures need to become part of the everyday process. Otherwise, your business can’t remain PCI compliant.

SEE ALSO: 7 IT Security Internal Communications Best Practices

Though they’re dry and boring, PCI policies are critical to data security. When a business doesn’t have security policies in place, their employees are more likely to make mistakes, compromising business security.

Trust me, it’s worth the effort and the cost!

Gary Glover (CISSP, CISA, QSA, PA-QSA) is Director of Security Assessment at SecurityMetrics with over 10 years of PCI audit experience and 25 years of Star Wars quoting skills. May the Force be with you as you visit his other blog posts.

PCI DSS learning center, SecurityMetrics
Wednesday, September 16, 2015