This is Part 1 in a 4-part series exploring how to ensure readiness for a Payment Card Industry (PCI) assessment, and how to avoid issues that can cause delays and additional costs.
The most useful documents required of PCI-DSS are covered in PCI-DSS requirements 1.1.2 (network diagram) and 1.1.3 (data flow diagram). Depending on the complexity of your network and processes, you could have one combined network and data flow diagram or you may require multiple diagrams.
Regarding PCI compliance, all entities that store, process or transmit cardholder data are subject to the requirements of the PCI Data Security Standard (PCI DSS). Merchant or Service Provider Level, and how cardholder data is handled normally determine how an entity is required to validate compliance.
Every company should have documented Information Technology policies and procedures to prepare them for regulatory requirements. However most organizations, particularly startup companies, do not have the time or expertise in drafting these very important documents.