PCI Requirement 12.4 establishes the requirement to ensure that the security policy and procedures clearly define information security responsibilities for all personnel. Anyone with access to cardholder data will have some level of security responsibility, and they must be aware of that.
The PCI DSS guidance explains, “Without clearly defined security roles and responsibilities assigned, there could be inconsistent interaction with the security group, leading to unsecured implementation of technologies or use of outdated or unsecured technologies.”
To verify compliance with PCI Requirement 12.4, assessors will take a sample of personnel to interview about security policies and be sure they understand their level of security responsibility.
PCI Requirement 12.4 establishes the requirement to define security policies and procedures for all individuals. I want to emphasize the “all.” Anybody within your environment that has skin in the game around access to cardholder data will have some merit of security responsibilities that they need to tend to. PCI Requirement 12.4 calls out the need to establish those policies and procedures.