It's absolutely right to always gather appropriate PCI DSS-related documentation in the event of an audit. The...
By submitting your personal information, you agree that TechTarget and its partners may contact you regarding relevant content, products and special offers.
kind of management perspective that says otherwise is all about doing the least amount possible to make the auditor go away. The reality is security professionals need to do the right thing and plan for the worst-case scenario, consistently -- that means every day.
In this case, the right process is to gather appropriate documentation as a common part of security operations. If it's necessary to gather a bunch of documentation to substantiate practices that should be in place anyway (which is most of PCI DSS), then something is wrong.
In today's security environment, security managers will always be scrutinized. The executive suite will always wonder what's happening with all that money in the security budget. They want substantiation of what it is that the security team does, and why. Gathering the documentation when an audit is happening puts the security team behind the curve and in turn makes the value of information security less apparent to management, so I suggest making documentation a part of everyday activities. Yes, it's a hassle, but no more of a hassle than having to manufacture data to substantiate what's been done the night before an audit.