Having and maintaining an Information Security Policy is a requirement for Payment Card Industry Data Security Standard (PCI DSS) compliance. We have provided a template you can fill out and use if you don't already have a policy. Instructions for modifying the document to your needs are below.
- Search and replace (Windows | Mac) all instances of <MerchantName> with your legal merchant name.
- In Table 1 – Revision History, note the format of the cells and clear all but the top row. Enter the Date and the Author initials. In the future, note revisions by naming a new version (i.e. 1.2 etc.) and filling in the date, your initials and a brief description of the changes.
- In the Introduction, you must specify the role, title, or department of who is responsible for IT or IT Security in place of <Name of the Information Technology
Organization at the entity>
- In the Ownership and Responsibilities section, insert the name of the role or title (<Roles/Titles>) of the custodian of this document. This role/title will be responsible for reviewing and updating it yearly as well as ensuring the policy is distributed and understood.
- In Table 2 - Security Process and Standards Documents Referenced by Policy replace <Custodian or Location> with the custodian role/title or the location where any supplemental documents to your policy, such as the examples in the table, are accessible. The need for supplemental documentation varies depending on the size of your organization.
- Complete Appendix A – the Management Roles and Responsibilities table with the applicable roles at your organization.
- In the Agreement to Comply with Information Security Policies section, replace <the director of the Information Security department or identified responsible team, group, etc.> with the equivalent role at your organization.
- Review the entire document and address/fix/remove any remaining red text. It is in red to point out that it may need to change depending on your environment. Once the red text has been properly fixed, change the font color to black or automatic.