A thorough PCI DSS documentation checklist matters because PCI DSS isn’t only about technical controls — it expects a substantial body of documentation to prove those controls are governed and maintained. Requirement 12 in particular is all about policies and programs. Below is the complete PCI DSS documentation checklist, from the core policies to the evidence your assessor expects to see.

The core policies
Whatever your level, assessors expect documented, maintained policies including:
- Information Security Policy — the overarching policy required by Requirement 12.
- Acceptable Use Policy — rules for using company technology and handling data.
- Access Control Policy — least privilege and need-to-know.
- Authentication / Password Policy — including MFA and password standards.
- Secure Configuration Standards — hardening for system components.
- Encryption & Key Management Policy — protecting stored and transmitted data.
- Change Management Policy.
- Vulnerability & Patch Management Policy.
- Incident Response Plan.
- Third-Party / Service Provider Management — managing PCI responsibilities across vendors.
- Security Awareness Training program.
The procedures and analyses
- Targeted risk analyses — new under v4.0, defining the frequency of certain activities.
- Roles and responsibilities documented for each requirement.
- Operational procedures for logging, monitoring, and daily security tasks.
The evidence and records
- Quarterly ASV scan reports
- Penetration test reports
- Access reviews and logs
- Training completion records
- Your completed SAQ or ROC and Attestation of Compliance (AoC)
Note: Exactly which documents apply depends on your scope, SAQ type, and how you handle cardholder data. Confirm against the current PCI DSS and your validation requirements.
Skip the blank page.
The PCI DSS Toolkit includes every policy and procedure below — auditor-written and mapped to PCI DSS v4.0 — so you can evidence Requirement 12 and the rest without drafting from scratch.
Why the PCI DSS documentation checklist trips teams up
Many organizations get their technical controls right but fall short on documented policies — and assessors treat missing or outdated policies as findings. A complete, maintained policy set is the difference between a smooth validation and a scramble. See how it fits the wider compliance process and the 12 requirements.
Assigning ownership for each document
A checklist only works if every item has an owner. In practice, most of the core policies sit with the information security lead or CISO, while procedures are owned by the teams that run them day to day — IT operations for configuration standards, HR for acceptable use and onboarding, and engineering for secure development. Requirement 12 expects a named individual or team to be formally responsible for the information security programme, so record ownership directly in each document’s header alongside its version number and last-review date. Clear ownership is what turns a folder of files into a living programme an assessor will trust.
From checklist to audit-ready evidence
Assessors don’t just want to see that a policy exists — they want proof it is approved, communicated, and followed. For each item on your PCI DSS documentation checklist, keep the approved version, a short record of who signed it off and when, and evidence that staff have seen it, such as acknowledgement logs or training records. Storing these alongside the policies themselves means that when an assessor says “show me,” you can answer in seconds rather than days. A pre-built documentation toolkit accelerates this by giving you editable, mapped templates for every policy and procedure Requirement 12 expects.
Frequently asked questions
Does a small merchant need all these policies?
It depends on your SAQ type — simpler SAQs require fewer controls — but Requirement 12’s policy expectations apply broadly. Confirm what your SAQ requires.
How often should policies be reviewed?
At least annually, and whenever your environment changes materially.
New to PCI DSS? Start with our complete guide.
