Our agency has just received notice from our acquiring bank that we must fill out the PCI DSS questionnaire. I'm being directed by management just to fill out the questionnaire and not worry about the documentation, because they believe that the questionnaire will not be audited. My opinion is that if we fill out this questionnaire we should be ready to provide documentation. Am I wrong to make this assumption?
It's absolutely right to always gather appropriate PCI DSS-related documentation in the event of an audit. The kind of management perspective that says otherwise is all about doing the least amount possible to make the auditor go away. The reality is security professionals need to do the right thing and plan for the worst-case scenario, consistently -- that means every day.
In this case, the right process is to gather appropriate documentation as a common part of security operations. If it's necessary to gather a bunch of documentation to substantiate practices that should be in place anyway (which is most of PCI DSS), then something is wrong.
In today's security environment, security managers will always be scrutinized. The executive suite will always wonder what's happening with all that money in the security budget. They want substantiation of what it is that the security team does, and why. Gathering the documentation when an audit is happening puts the security team behind the curve and in turn makes the value of information security less apparent to management, so I suggest making documentation a part of everyday activities. Yes, it's a hassle, but no more of a hassle than having to manufacture data to substantiate what's been done the night before an audit.
