10.1.2 Roles and responsibilities for performing activities in Requirement 10 are documented, assigned, and understood.

Original requirement from PCI DSS v4.0.1

Defined Approach Requirements

Customized Approach Objective

Day-to-day responsibilities for performing all the activities in Requirement 10 are allocated. Personnel are accountable for successful, continuous operation of these requirements.

Defined Approach Testing Procedures

10.1.2.a Examine documentation to verify that descriptions of roles and responsibilities for performing activities in Requirement 10 are documented and assigned.

10.1.2.b Interview personnel with responsibility for performing activities in Requirement 10 to verify that roles and responsibilities are assigned as defined and are understood.

Purpose

If roles and responsibilities are not formally assigned, personnel may not be aware of their day-to-day responsibilities and critical activities may not occur.

Good Practice

Roles and responsibilities may be documented within policies and procedures or maintained within separate documents.

As part of communicating roles and responsibilities, entities can consider having personnel acknowledge their acceptance and understanding of their assigned roles and responsibilities.

Examples

A method to document roles and responsibilities is a responsibility assignment matrix that includes who is responsible, accountable, consulted, and informed (also called a RACI matrix).

purpose

Assign and document roles and responsibilities for logging and monitoring.

compliance strategies

RACI matrix
Role-based training and assignment

typical policies

Logging Responsibility Matrix

common pitfalls

Unclear accountability
Overlapping or missing assignments

type

Governance

difficulty

Low

key risks

Gaps in log review or response

recommendations

Integrate with HR onboarding/offboarding processes

Eligible SAQ

SAQ-D MERCHANT
SAQ-D SERVICE PROVIDER