We find that most organizations struggle with the documentation aspect of a PCI assessment. Established best practice states, “If it’s not written down, it’s not happening.” Organizations need documented policies, procedures, and standards to control risks to business assets, but to also have a common understanding and language to create consistency among the culture of your organization. Small organizations often question why they need to document how their organization runs, especially if there are only a few people in the company. We think that’s the perfect example of why your organization, no matter the size, needs documentation; what if something happens? Who would know how to securely operate your organization? You need to have the proper policies, procedures, and standards in place to ensure the ongoing continuity and security of your organization. More policies, procedures, standards, and PCI compliance resources: https://kirkpatrickprice.com/audit/pci-dss/demystified/ https://kirkpatrickprice.com/blog/the-purpose-of-policies-procedures/ https://kirkpatrickprice.com/audit/pci-dss/