Select Page


A large part of PCI DSS is based around having strong policies and procedures. In many instances, organizations may have working practices that fit with PCI DSS, however, these processes are frequently organic and not shared amongst the organization at large.

To become PCI DSS compliant and reduce the risk of card fraud, organizations need to document the working processes, document the security technology and document the card data flows that exist within the environment.

Once many of these elements are documented they need to be communicated to the organization at large. Through strong documentation and improved staff awareness, organizations will be able to reduce their risk and maintain a posture that is more consistent with the PCI DSS.

What Policies And Procedures Are Needed To Comply With PCI DSS?

The simple answer is that it depends on how you process card payments, and which PCI DSS requirements are applicable. A common approach to implementing the various policies and procedures mandated by PCI DSS is to buy a “PCI in a box” solution, a series of highly templated policies into which you simply enter your organization’s name.

The problem with this approach is it never works, and you’ll quickly realise that the templated policy doesn’t align to how you actually work. Worse still, templated policies usually contain a lot of requirements and rules that simply won’t apply to your organization – and we frequently work with organizations who have taken this approach and implemented unnecessary and unhelpful working practices as a result.

We Do Things Differently

One size really does not fit all, and our team can work with you to create a set of policies that both meet the requirements of PCI DSS, and are practical and tailored to your organization.LRQA Nettitude has extensive experience in helping our clients create and implement policies, standards, and procedures.

Our approach is to work with you to understand your organization and produce documents that are bespoke and not only support compliance, but actually improve your overall security posture. Implementing effective policies and process to support PCI DSS compliance doesn’t have to be complicated, and if approached correctly, can have benefits way beyond PCI DSS compliance.

Our practical approach is based not only on a deep understanding of PCI DSS but wider information security experience, this means we can work with you to:

  • Create policies that are tailored to support your organization, and not just there to tick boxes
  • Design and document processes that reflect the reality of how you work

Get in touch today to discuss how LRQA Nettitude can help you remove unnecessary complexity from your PCI DSS policies and procedures.

Frequently Asked Questions about Data Privacy Security

What is an incident response policy?

An Incident response plan or policy is a process you create before you experience a cyberattack. This is so that your team has a procedure to follow when you do experience a data breach. LRQA Nettitude follows the CREST Cybersecurity Incident Response process which is broken down into 3 phases: preparation, response, and follow up. Having a breach plan gives you the confidence to quickly nullify any threat to your data privacy security.

Why is data privacy security important?

Although it has always been important, the implications and need for higher security are coming into play now that technology is indispensable to everyday life. Using apps, browsing websites, and shopping online are all examples of how your data will be stored and managed online. For organisations today, the threat of cyber theft is a pertinent one. Having comprehensive data privacy plans in place can reduce and mitigate the risks of such events.

Does LRQA Nettitude practice sustainability?

As a company with a global footprint, sustainability is an area of importance to us. We are a registered ‘Investor in People’ organisation. Taking a cue from ISO 14001, we have strong sustainability practices put in place. Our organisation also hires fairly and equally, across gender and race. By working with us, you can rest assured that we implement data privacy security measures with ethics at the core of our mission.

Get in touch via the form below and get a free quote from us for our Red Team Security Testing services.

General Enquiry