12.4.1 Additional requirement for service providers only

Defined Approach Requirements

12.4.1 Additional requirement for service providers only: Responsibility is established by executive management for the protection of cardholder data and a PCI DSS compliance program to include:

• Overall accountability for maintaining PCI DSS compliance.
• Defining a charter for a PCI DSS compliance program and communication to executive management.

Customized Approach Objective

Executives are responsible and accountable for security of cardholder data.

Applicability Notes

This requirement applies only when the entity being assessed is a service provider.

Executive management may include C-level positions, board of directors, or equivalent. The specific titles will depend on the particular organizational structure.

Responsibility for the PCI DSS compliance program may be assigned to individual roles and/or to business units within the organization.

Defined Approach Testing Procedures

12.4.1 Additional testing procedure for service provider assessments only: Examine documentation to verify that executive management has established responsibility for the protection of cardholder data and a PCI DSS compliance program in accordance with all elements specified in this requirement.

Purpose

Executive management assignment of PCI DSS compliance responsibilities ensures executive-level visibility into the PCI DSS compliance program and allows for the opportunity to ask appropriate questions to determine the effectiveness of the program and influence strategic priorities.

Further Information