Who Approves Usage Policies?
Your usage policies, as stated in PCI Requirement 12.3.1, should require explicit approval by authorized parties. The PCI DSS explains that if your usage policies do not require formal approval for implementation of critical technologies, your personnel may innocently implement a solution to a perceived business need, but also open a gap that puts critical systems and cardholder data at risk.
To test compliance with PCI Requirement 12.3.1, an assessor will need to examine your usage policies to ensure that there is a process for obtaining explicit approval by authorized parties to use certain technologies.
Your usage policy needs to include explicit approval by management for your critical technologies. This is really intended to prevent the casual user, the administrator, or any individual with mal-intent or non- mal-intent from bringing something into your environment and plugging it in or causing some type of negative impact to your security environment.