PCI-DSS v4.0 Requirement 12 is devoted entirely to policies and procedures: "Support information security with organizational policies and programs." Every one of the 12 requirements has a corresponding documentation obligation. A QSA (Qualified Security Assessor) will ask to see your written procedures during any Level 1 audit, and internal compliance teams rely on them for evidence during self-assessments. Having controls is necessary — being able to prove you have controls is what PCI-DSS actually measures.
Why PCI-DSS Mandates SOPs
The gap between having a security control and documenting it is where most PCI-DSS findings originate. A firewall rule exists, but there's no written procedure for reviewing it quarterly. Access credentials are rotated, but no SOP governs who approves the rotation or what the rotation schedule is. The QSA can't test what isn't documented, and undocumented controls are treated as unimplemented controls.
PCI-DSS v4.0 explicitly requires that policies and procedures be reviewed at least once every 12 months, updated when the environment changes, and distributed to relevant personnel. This isn't a checkbox — it's a recurring operational requirement.
The PCI-DSS SOP Categories You Need
The 12 PCI-DSS requirements map to these SOP categories:
| Requirement area | SOPs needed |
|---|---|
| Network security (Req. 1–2) | Firewall rule review, network change management, default credential removal |
| Cardholder data (Req. 3–4) | Data retention and deletion, encryption key management, transmission security |
| Vulnerability management (Req. 5–6) | Patch management, vulnerability scanning, penetration testing scheduling |
| Access control (Req. 7–9) | Access provisioning and de-provisioning, MFA enrollment, physical access control |
| Monitoring (Req. 10–11) | Log review, alert triage, intrusion detection response |
| Information security policy (Req. 12) | Incident response, risk assessment, security awareness training, vendor management |
The Screenshot Problem for PCI-DSS SOP Documentation
If you use a screen recorder to document a payment workflow — checkout configuration, refund processing, fraud review — you risk capturing Primary Account Numbers (PANs), CVV values, or cardholder names in screenshots. This creates a problem: the SOP document now contains cardholder data (CHD), which means it falls within the cardholder data environment (CDE) and must be protected accordingly.
Standard screen recorders have no PAN detection. They capture whatever is on screen. The SOP file becomes a CHD artifact that needs to be encrypted at rest, access-controlled, included in your CDE scope, and potentially brought into your next QSA assessment.
The better approach is to use a recorder that detects and redacts payment data before it's ever stored. When the SOP file itself contains no CHD, it stays out of CDE scope and can be distributed freely to staff who need it.
How to Safely Document Payment Workflows
For PCI-DSS SOP documentation, the recording tool needs automatic cardholder data detection. Claudia handles this before any data is written to storage:
PAN detection. Credit card numbers are matched using Luhn algorithm validation and replaced with [CARD REDACTED] before storage. The original value is never written.
CVV/CVC fields. Fields with autocomplete="cc-csc" or similar hints are fully suppressed — the value is never captured.
Payment page screenshot skip. An optional toggle in Settings automatically skips screenshots on checkout, payment, and billing pages. Pattern matching detects Stripe, PayPal, Braintree, Square, and common payment URL patterns.
Local-only storage. No recording data is transmitted externally. The CDE boundary doesn't expand just because you're documenting a payment workflow.
Maintaining PCI-DSS SOPs: The Annual Review Requirement
PCI-DSS requires annual review of all policies and procedures — not just a rubber stamp, but a genuine review that checks whether the documented process still reflects what actually happens. Common drift points to check:
Payment processor has changed or added a new integration — update network diagrams and data flow documentation.
Staff turnover has changed who performs a procedure — update role assignments in the SOP.
The UI of a payment system has changed — re-record the workflow so screenshots match current reality.
SOPs that drift from practice are a liability, not an asset. During a QSA assessment, an SOP that contradicts how staff actually work raises questions about the entire compliance program. Recording workflows as they happen — rather than writing them from memory — is the most reliable way to keep documentation current.
This article is for informational purposes only and does not constitute legal advice. Consult your compliance team or legal counsel to evaluate how Claudia fits within your organization's specific regulatory obligations.
See Claudia's full PCI-DSS compliance details
PAN detection implementation, payment page screenshot toggle, and how cardholder data is handled at the field and page level.
View compliance documentation →
Related: SOX SOP Requirements ·
GDPR SOP Documentation ·
HIPAA SOP Documentation
Originally published at claudiasop.com
Top comments (0)