Compliance Policies & Procedures

by John Cartwright

As more regulation and oversight is implemented globally, the need for understanding compliance policies and procedures becomes even more important. Two critical compliance policies are the Payment Card Industry Data Security Standard (PCI-DSS) and the North American Electric Reliability Corporation Critical Infrastructure Protection (NERC-CIP). Both involve IT security and protecting assets, albeit in different industries.


PCI-DSS requirements coalesced in 2006 as a collective group of policies required by five major international retail electronic payments networks: VISA, American Express, Discover, Mastercard and JCB (Japan Credit Bureau). The 12 requirements of PCI-DSS apply to companies in the financial industry who do business with one of these five major credit card companies and who either process, transmit or store credit card numbers (also known as "cardholder data"). The impetus for PCI-DSS is to provide safeguards against identity theft.


The CIP standards mandated by NERC are in place to help safeguard the North American power system. Power-generating utilities and power resellers are subject to these standards. The 18 standards (not all entities are subject to all of the standards) are similar to PCI-DSS, inasmuch as they govern how a network is to be configured and where critical cyber assets are to be located and accessed (as opposed to cardholder data).

Penalties for Non-Compliance

The penalties for failing to comply with PCI-DSS are simple: if a company is found to be out of compliance, they will lose their business relationship with VISA, Mastercard, etc. For companies whose business is processing financial transactions, their livelihood is taken away. NERC institutes financial penalties for companies found to not be in compliance. Fines can can be as high as $1 million per day for those companies egregiously out of compliance.

Other Compliance Policies and Procedures

There are several other standards, requirements, policies and procedures that organizations must follow to protect data in this electronic era. Some of them include: - Sarbanes-Oxley (SOX): United States federal guidelines governing accountability with corporate finances and auditing. - Statement on Auditing Standards No. 70 (SAS70): Auditing standards for auditors. These standards can apply to the financial as well as IT security industries. - Health Insurance Portability and Accountability Act (HIPAA): United States federal guidelines outlining how medical providers and others must protect a patient's medical data.

How to Comply

Typically, there are two parts to passing a PCI-DSS or NERC-CIP compliance audit: documentation and technical implementation. The latter part is done by an organization's IT department with guidance typically from an auditor ("QSAs," in the PCI-DSS world). Documentation is typically handled by technical writers, but these standards are so relatively new that it's hard to find a writer who actually has experience writing to these policies. The PCI Guy, online at, is a technical documentation consulting firm that specializes in writing PCI-DSS, NERC-CIP and SOX compliance documentation.

About the Author

John Cartwright is a PCI-DSS compliance expert, focusing on technical documentation. An alum of both the University of Oklahoma and St. Edward's University, Cartwright has worked as a technical writer for more than 10 years, mainly in the world of software development and IT Security. When not writing compliance docs or running his own company, Cartwright is a freelance journalist in Austin, Texas.