The key to properly using PCI policies is communication.

Did you know that many businesses don’t have a written security policy at all? In the PCI DSS audits I’ve conducted, over 60% of businesses had minimal (or no) PCI policies and documentation.
SEE ALSO: Top Ten PCI Requirement Failures: Where is Your Business Struggling?
Purchasing and implementing PCI security policies is a lot like sailing. You can’t just say, “I have the wind; now I can lean back and do nothing.” You have to constantly adjust the sail to stay on track. Similarly, you can’t just install a few firewalls, add some security controls, and then be done with PCI. You need to have a PCI security policy and procedures that always adjust to new threats, Remember, you must document everything to protect your business.
SEE ALSO: 5 Commonly Overlooked PCI Security Errors
Creating a PCI policy can be overwhelming, tedious, and a little expensive. Some businesses may think a PCI policy isn’t worth the cost if they have only a few employees. Others are overwhelmed by all the different types of policies (e.g. firewall policy, employee training, business continuity), and aren’t sure how much they should spend.
My point is, no matter how you feel about them, having PCI security policies is critical to protect your business’s data from online threats that evolve each day.
SEE ALSO: PCI Requirements - You're Not Done Yet!
Just as a business faces several types of security issues, there are many types of security policies that cover procedures for data protection, emergencies, technical problems, and more. Some include:
These are just a few examples. Each of these security policies works together to fulfill your business’ PCI compliance policy requirements.
While it costs money to purchase a policy, it also saves a lot of time and headache when comparing
the creation of one on your own. Many data security companies offer policy packets, procedures, and templates to ease the creation of security policies. It’s up to you to decide what templates may include. Because each business is different, your individual PCI policies may need customization based on:
Pricing depends on the vendor and policies desired. PCI security companies often sell individual policies (incident response, data security, etc.) that range from $200-$800 each. These policies are great for businesses that already have most of their required PCI security policies and just need a few updated.
Most security companies also offer a total policy package that has all policies necessary for PCI compliance, which is great for businesses new to the PCI standard. Expect to pay around $1,000 for these complete packages.
Keep in mind that when buying PCI security policies, you get what you pay for.
If you get a policy for $50, it’s a $50 policy, which probably won’t be thorough, and likely isn’t written with a QSA skillset (Qualified Security Assessors are certified experts on PCI compliance and work to help organizations identify their risks and vulnerabilities).
Here’s a listing of prices a company might offer:
PCI SAQ C Policy   $100-$300
PCI SAQ D Policy   $100-$300
PCI SAQ A-EP   $200-$400
PCI SAQ B-IP   $400-$600
PCI Policies and Procedures C   $900-$1100
PCI Policies and Procedures D   $900-$1100
PCI Policies and Procedures A-EP   $900-$1100
PCI Policies and Procedures B-IP   $900-$1100
SEE ALSO: How Much Does PCI Compliance Cost?
So, your business has a policy to direct its security actions; now it needs to implement those actions. A security policy collecting dust is useless.
To implement your security policy and procedures effectively, the mandate to adopt them needs to come from the top-down.
A project manager should have the power to say, “Everyone needs to follow these policies and procedures. If you find a problem with a policy, come talk to me and I’ll bring it up with management.”
Management needs to say, “I know this is hard, but we need to have security policies and procedures, and I want proof that you’re following these procedures.”
Companies that follow this top-down process are more successful with security and have a better experience with PCI. Companies that don’t, tend to have more internal problems and security miscommunications.
SEE ALSO: 6 Ways to Make Data Security Consistent in Your Business
Implementation is impossible if policies aren’t accessible to employees. Let me give you a great example of how NOT to use a security policy within your organization. In one memorable audit, a company gave us over 200 policy documents and said, “Here’s what we have. Go through it.”
It took me a week to get through all of the material. To make things even more difficult, the documents were in different departments, so if we had questions or wanted to interview employees, we’d have to go from department to department to track down where one document came from. At the conclusion of the audit, we had to create one large PCI security policy that was accessible to all of the employees.
Spreading policy documents throughout the company makes it difficult for anybody to absorb all the material. Keep all PCI security policies together in one place. It will help your employees to actually follow the policies.
The key to properly using PCI policies is communication. Every team needs to have an understanding: this is what they will do, this is how they will do it, and this is how they will document it has been done. PCI security policies and procedures need to become part of the everyday process. Otherwise, your business can’t remain PCI compliant.
SEE ALSO: 7 IT Security Internal Communications Best Practices
Though they’re dry and boring, PCI policies are critical to data security. When a business doesn’t have security policies in place, their employees are more likely to make mistakes, compromising business security.
Trust me, it’s worth the effort and the cost!