How to Write a SOX & PCI DSS Compliance Plan for an Online Payment Company

This one is simpler to write about but easy to underdo. Your plan should address how PayNexus handles new system deployments — specifically, the system hardening baseline applied to every server before it joins the CDE. Describe a process: IT security team runs a hardening checklist, changes all defaults, disables unnecessary services, documents the configuration baseline.

• System hardening standards (CIS Benchmarks are a good reference)
• Inventory of all system components in scope
• Process for disabling unused ports and services
• Documentation and review of configuration standards annually

This is one of the most substantive requirements for an online payment company. Your plan needs to address what data PayNexus actually stores (Primary Account Number, expiration date, cardholder name — but never the full magnetic stripe, CVV, or PIN), how it’s protected at rest, and data minimization policies. Tokenization is the key concept here — most modern payment processors replace actual card numbers with tokens to reduce CDE scope.

• Data discovery and classification process — what do you actually store?
• Encryption at rest: AES-256 for any stored PAN data
• Tokenization approach for recurring billing scenarios
• Data retention and secure deletion policy (what’s the business justification for keeping card data?)
• Masking of PAN when displayed (show only last four digits)

For an online payment company, this is straightforward in concept but important to be specific about. All transmission of cardholder data over the internet — between the customer’s browser and PayNexus servers, between PayNexus and acquiring banks, between PayNexus and third-party processors — must use strong cryptography. TLS 1.2 minimum; TLS 1.3 preferred. SSL and early TLS are explicitly prohibited under PCI DSS v4.0.

• TLS 1.3 implementation across all payment APIs and web interfaces
• Certificate management process (who manages SSL/TLS certificates, renewal schedule)
• Prohibition on sending card data via unencrypted channels (email, SMS, unencrypted HTTP)
• Inventory of all transmission paths involving cardholder data

More than just “install antivirus.” Your plan should describe how PayNexus deploys and manages endpoint detection across CDE systems, how signature updates are automated, how scans are scheduled and logged, and how detections are escalated. Also address systems for which antivirus is not commonly deployed (some UNIX/Linux systems) and explain the compensating controls used instead.

• Centrally managed endpoint protection platform across all CDE systems
• Automated daily signature updates with verification logging
• Weekly full-system scans; real-time protection enabled at all times
• Incident escalation process when malware is detected

This is a big one for a payment company with an in-house development team. PCI DSS requires that all custom-developed applications follow a secure development lifecycle (SDLC) and that vulnerabilities are patched in a timely manner. Address patch management timelines (critical patches within 30 days is a common policy), web application firewall (WAF) deployment, and code review processes.

• Secure SDLC: security requirements, design review, SAST/DAST in CI/CD pipeline
• Patch management policy — critical patches (CVSS 9+) within 30 days, high within 60
• Web Application Firewall (WAF) in front of all public-facing payment applications
• Prohibition of production data in development/test environments
• Change control process for all production system changes

Role-based access control (RBAC) is the mechanism here. Your plan should describe how PayNexus implements least-privilege access — only people whose job function requires access to cardholder data get it. Document the access approval process, periodic access review schedule, and how access is terminated when someone changes roles or leaves the company.

• RBAC implementation: define roles, map to data access permissions
• Formal access request and approval workflow
• Quarterly access review and re-certification process
• Immediate access revocation process tied to HR offboarding

No shared credentials. Every person and every service account gets a unique identifier so actions can be traced back to a specific individual. Your plan should address multi-factor authentication (MFA) requirements — PCI DSS v4.0 requires MFA for all access into the CDE, not just remote access. Password complexity requirements and account lockout policies also belong here.

• MFA required for all CDE access (not just remote — any access to CDE systems)
• Password policy: minimum 12 characters, complexity requirements, 90-day rotation for privileged accounts
• Account lockout after 6 failed attempts; lockout duration of 30 minutes
• Prohibition on generic or shared accounts within the CDE
• Service account inventory and password management process

Often underwritten in student papers because it feels less “digital.” But for an online payment company hosting servers in a data center (or using a co-location facility), physical access controls matter. Describe how server racks are physically secured, how visitor access to data center areas is managed, and how media containing card data is handled and destroyed.

• Data center access controls: badge readers, biometric locks on server rooms
• Visitor log maintained with time-stamped entries and escort requirements
• Media handling policy: encrypted portable media, secure disposal (DoD 5220.22-M wiping or physical destruction)
• CCTV monitoring of server rooms with 90-day retention of footage

This is where SIEM (Security Information and Event Management) systems come in. Your plan should describe how PayNexus logs all access to CDE systems, how logs are protected from tampering, how long they’re retained, and how the security team monitors for anomalies. PCI DSS requires at minimum daily log review and one year of log retention (three months immediately available).

• Centralized SIEM platform aggregating logs from all CDE systems
• Log retention: 12 months total, 3 months immediately accessible
• Automated alerting for suspicious activity (failed logins, privilege escalation, after-hours access)
• Daily log review procedure — who reviews, what they look for, how findings are escalated
• Time synchronization via NTP across all systems (critical for forensic log correlation)

This requirement covers vulnerability scanning, penetration testing, and intrusion detection. Your plan should include a testing calendar. PCI DSS requires quarterly internal vulnerability scans, quarterly external scans by an Approved Scanning Vendor (ASV), and annual penetration testing (external and internal, including application-layer testing for your payment application). Wireless network scanning is also required.

• Quarterly internal vulnerability scans by certified internal team
• Quarterly external vulnerability scans by ASV (approved scanning vendor)
• Annual penetration test: network and application layer, inside and outside CDE perimeter
• Wireless scanning: quarterly scans to detect unauthorized access points
• Remediation process: findings triaged by severity, remediation timelines documented

The capstone requirement. Every technical control only works if the people operating it understand the rules. Your plan should describe PayNexus’s information security policy framework — a master policy, supporting standards, annual training for all staff with role-specific training for CDE-adjacent employees, and an incident response plan. PCI DSS also requires a risk assessment process and a vendor management program for third-party service providers who touch cardholder data.

• Information Security Policy: annual review and sign-off by executive leadership
• Security awareness training: all employees annually; role-specific training for CDE staff
• Incident response plan: roles, escalation paths, containment procedures, reporting timelines (card brands must be notified within defined timeframes of a breach)
• Annual risk assessment using a recognized framework (NIST, ISO 27005)
• Third-party vendor inventory and due diligence process — your processors, hosting providers, and software vendors are in scope if they touch cardholder data