9.1.2 Roles and responsibilities for performing activities in Requirement 9 are documented, assigned, and understood.

Original requirement from PCI DSS v4.0.1

Defined Approach Requirements

Customized Approach Objective

Day-to-day responsibilities for performing all the activities in Requirement 9 are allocated. Personnel are accountable for successful, continuous operation of these requirements.

Defined Approach Testing Procedures

9.1.2.a Examine documentation to verify that descriptions of roles and responsibilities for performing activities in Requirement 9 are documented and assigned. 9.1.2.b Interview personnel with responsibility for performing activities in Requirement 9 to verify that roles and responsibilities are assigned as documented and are understood.

Purpose

If roles and responsibilities are not formally assigned, personnel may not be aware of their day-to-day responsibilities, and critical activities may not occur.

Good Practice

Roles and responsibilities may be documented within policies and procedures or maintained within separate documents.

As part of communicating roles and responsibilities, entities can consider having personnel acknowledge their acceptance and understanding of their assigned roles and responsibilities.

Examples

A method to document roles and responsibilities is a responsibility assignment matrix that includes who is responsible, accountable, consulted, and informed (also called a RACI matrix).

purpose

Ensure roles and responsibilities for physical security are documented, assigned, and understood.

compliance strategies

RACI matrix
Role-based training and assignment

typical policies

Physical Security Responsibility Matrix

common pitfalls

Unclear accountability
Overlapping or missing assignments

type

Governance

difficulty

Low

key risks

Security gaps due to unassigned tasks

recommendations

Integrate with HR onboarding and offboarding processes

Eligible SAQ

SAQ-D MERCHANT
SAQ-D SERVICE PROVIDER