PCI Requirement 12.4.1 – Additional Requirement for Service Providers Only: Executive Management Shall Establish Responsibility for the Protection of Cardholder Data and a PCI DSS Compliance Program

by Randy Bartels / July 3rd, 2018

Tone from the Top

PCI Requirement 12.4.1 is a sub-requirement of PCI Requirement 12 and applies to service providers only. It requires that executive management shall establish responsibility for the protection of cardholder data and a PCI DSS compliance program, which includes overall accountability for maintaining PCI compliance and defining a charter for a PCI DSS compliance program and communication to executive management.

PCI Requirement 12.4.1 is vital for a “tone from the top” attitude. The PCI DSS guidance says, “Executive management assignment of PCI DSS compliance responsibilities ensures executive-level visibility into the PCI DSS compliance program and allows for the opportunity to ask appropriate questions to determine the effectiveness of the program and influence strategic priorities.” Executive management could include your board of directors, C-level positions, investors, or other stakeholders.

To verify compliance with PCI Requirement 12.4.1, an assessor will examine documentation to see that executive management has some accountability assignment and review the PCI charter.

PCI Requirement 12.4.1 requires that service providers define and appoint somebody within your organization the overall responsibility for managing the security of the PCI DSS. What we’re looking for is that you have a formal charter that defines what that looks like. We’re looking for the actual individual to interview them and to talk to them about the charter and how they go about managing those responsibilities for PCI DSS.

We know that PCI DSS compliance can be intimidating, so we’ve provided this PCI DSS charter document template to help you comply with PCI Requirement 12.4.1.

PCI DSS Charter Document Template


The purpose of this charter is to establish the policies and procedures for complying with the Payment Card Industry Data Security Standard (PCI DSS). This charter defines the roles and responsibilities of employees and management in maintaining the confidentiality, integrity, and availability of cardholder data.


This charter applies to all employees, contractors, and vendors who handle or have access to cardholder data in the organization’s systems or network. The scope of the PCI DSS compliance program covers all payment channels, including point-of-sale (POS), e-commerce, and mail order/telephone order (MOTO).

Roles and Responsibilities:

The following roles and responsibilities are defined for PCI DSS compliance:

  • Executive Sponsor: The executive sponsor is responsible for providing the necessary resources and support for the PCI DSS compliance program. The executive sponsor is also responsible for ensuring that the compliance program aligns with the organization’s overall security strategy and objectives.
  • Compliance Officer: The compliance officer is responsible for overseeing the PCI DSS compliance program, including managing the compliance project, conducting risk assessments, developing policies and procedures, and coordinating with internal and external auditors.
  • Security Officer: The security officer is responsible for ensuring the security of the organization’s systems and network, including implementing and maintaining technical security controls to protect cardholder data.
  • IT Operations: The IT operations team is responsible for implementing and maintaining the organization’s systems and network, including applying security patches and updates, monitoring systems for security incidents, and ensuring the availability of systems and network.
  • Business Units: Business units are responsible for ensuring that the systems and processes they use for handling cardholder data are compliant with the PCI DSS requirements.

PCI DSS Compliance Program:

The PCI DSS compliance program consists of the following elements:

  • Risk Assessment: The organization will conduct a risk assessment to identify the risks to cardholder data and the systems and processes that handle cardholder data.
  • Policies and Procedures: The organization will develop and implement policies and procedures that comply with the PCI DSS requirements.
  • Technical Controls: The organization will implement and maintain technical security controls to protect cardholder data, including firewalls, encryption, and access controls.
  • Security Monitoring: The organization will monitor its systems and network for security incidents and take appropriate action to address any security issues that arise.
  • Training and Awareness: The organization will provide training and awareness programs to employees, contractors, and vendors who handle cardholder data to ensure they understand their roles and responsibilities for protecting cardholder data.

Compliance Reporting:

The compliance officer will provide regular reports to executive management on the status of the PCI DSS compliance program, including the results of the risk assessment, progress in implementing policies and procedures, and any security incidents that occur.


This PCI DSS charter document outlines the organization’s approach to achieving and maintaining compliance with the PCI DSS requirements. By following this charter, the organization can protect the confidentiality, integrity, and availability of cardholder data and ensure the trust of its customers and partners.

Still have questions about PCI DSS?

Do you still have questions about PCI Requirement 12.4.1, charter documentation, or just PCI DSS in general? We’ve got you covered. Here at KirkpatrickPrice, we want to partner with you for all of your PCI needs.

Connect with one of our experts today to start working toward your compliance goals.