Documenting Your Review Process
The final requirement in PCI Requirement 12 works in conjunction with PCI Requirement 12.11. PCI Requirement 12.11.1 mandates organizations to maintain documentation of a quarterly review process, which should include documenting results of the reviews and review/sign-off of results by personnel assigned responsibility for the PCI DSS compliance program.
Why are PCI Requirement 12.11 and PCI Requirement 12.11.1 listed separately? The PCI DSS explains, “The intent of these independent checks is to confirm whether security activities are being performed on an ongoing basis. These reviews can also be used to verify that appropriate evidence is being maintained—for example, audit logs, vulnerability scan reports, firewall reviews, etc.—to assist the entity’s preparation for its next PCI DSS assessment.”
The last requirement within the last requirement of the PCI DSS is PCI Requirement 12.11.1. PCI Requirement 12.11.1 says that if you are a service provider, you have to implement a program where your management is receiving all of the documentation about your program and they’re signing off on it.
Understand that management is responsible for the overall security. They might delegate that responsibility to somebody else within their organization, but really at the end of the day, they own it, they broke it, they bought it, it’s theirs. PCI Requirement 12.11.1 says that they’re receiving that information, they’re managing that information, and that they’re well aware and signing off on that after having received it.