Tone from the Top
PCI Requirement 12.4.1 is a sub-requirement of PCI Requirement 12 and applies to service providers only. It requires that executive management shall establish responsibility for the protection of cardholder data and a PCI DSS compliance program, which includes overall accountability for maintaining PCI compliance and defining a charter for a PCI DSS compliance program and communication to executive management.
PCI Requirement 12.4.1 is vital for a “tone from the top” attitude. The PCI DSS guidance says, “Executive management assignment of PCI DSS compliance responsibilities ensures executive-level visibility into the PCI DSS compliance program and allows for the opportunity to ask appropriate questions to determine the effectiveness of the program and influence strategic priorities.” Executive management could include your board of directors, C-level positions, investors, or other stakeholders.
To verify compliance with PCI Requirement 12.4.1, an assessor will examine documentation to see that executive management has some accountability assignment and review the PCI charter.
PCI Requirement 12.4.1 requires that service providers define and appoint somebody within your organization the overall responsibility for managing the security of the PCI DSS. What we’re looking for is that you have a formal charter that defines what that looks like. We’re looking for the actual individual to interview them and to talk to them about the charter and how they go about managing those responsibilities for PCI DSS.