A3.1.1 Responsibility is established by executive management for the protection of account data and a PCI DSS compliance program that includes:

Defined Approach Requirements

A3.1.1 Responsibility is established by executive management for the protection of account data and a PCI DSS compliance program that includes:

• Overall accountability for maintaining PCI DSS compliance.
• Defining a charter for a PCI DSS compliance program.
• Providing updates to executive management and board of directors on PCI DSS compliance initiatives and issues, including remediation activities, at least once every 12 months.

PCI DSS Reference: Requirement 12

Customized Approach Objective

This requirement is not eligible for the customized approach

Defined Approach Testing Procedures

A3.1.1.a Examine documentation to verify executive management has assigned overall accountability for maintaining the entity's PCI DSS compliance.

A3.1.1.b Examine the company's PCI DSS charter to verify it outlines the conditions under which the PCI DSS compliance program is organized.

A3.1.1.c Examine executive management and board of directors meeting minutes and/or presentations to ensure PCI DSS compliance initiatives and remediation activities are communicated at least once every 12 months.

Purpose

Executive management assignment of PCI DSS compliance responsibilities ensures executive-level visibility into the PCI DSS compliance program and allows for the opportunity to ask appropriate questions to determine the effectiveness of the program and influence strategic priorities.

Good Practice

Executive management may include C-level positions, board of directors, or equivalent. The specific titles will depend on the particular organizational structure.

Responsibility for the PCI DSS compliance program may be assigned to individual roles and/or to business units within the organization.