Mark Hannah & Sherri Collis
If you don’t have documented and employee acknowledged roles and responsibilities for every role that is part of your PCI scope of assessment, you may need a long roadway to get this in place.
On March 31st, 2022 PCI DSS v4.0 was released. Today’s post is part of series of pieces we are publishing that explore the changes to the PCI standard and provide insight into what the changes will mean for your organization. All of our posts can be found here.
PCI DSS v4.0 introduced the requirement to define roles and responsibilities for any personnel interacting with your cardholder data environment and/or account data. For many organizations, this will be a major change and will require a lot of effort. In this post we will look at the scope of that change and unpack what it means to you.
What's new in V4.0?
Requirements 1 through 11 now require all roles and responsibilities to be clearly defined, communicated, and acknowledged by personnel. Each of these sections contains the following two requirements:
|Examine documentation to verify that descriptions of roles and responsibilities for performing activities in Requirement “X.1.2” are documented and assigned.|
|Interview personnel with responsibility for performing activities in Requirement “X.1.2” to verify that roles and responsibilities are assigned as documented and are understood.|
Let’s take a closer look at what this means...
- First, this requires the assessed entity to examine all the requirements in each section to identify the activities that must be performed.
- Next, the roles and specific responsibilities for performing these activities must be defined.
- Then, the personnel responsible for performing these activities must be assigned to the described roles such that upon an interview by an assessor, it is discernible that personnel understand and are performing their role as documented.
In smaller organizations, roles and responsibilities will be much easier to document as the 'IT Department' may include a few individuals who are collectively responsible for everything required by the Standard. For these smaller teams, it is appropriate to document the specific individuals who are responsible for specified activities. Or, if they already have somewhat defined roles (e.g., Server Admin, Network Admin, Team Lead), those roles may be leveraged.
In larger organizations, identifying and documenting the roles and responsibilities for requirements 1 through 11 can be more complex, and even a bit daunting. This is because there are often more siloed teams performing roles with a more narrowed focus due to the volume of their work.
Take a look at the example below contrasting the roles and responsibilities between two types of organizations.
What is the difference from v3.2.1
|PCI DSS v3.2.1||PCI DSS v4.0|
PCI DSS 3.2.1 included seven requirements that touched on roles and responsibilities:
1.1.5.a Verify that firewall and router configuration standards include a description of groups, roles, and responsibilities for management of network components
12.5 Examine information security policies and procedures to verify:
PCI DSS v4.0 includes a new “X.1.2” requirement within Requirements 1 through 11.
The “X.1.2” requirements expand the scope around roles and responsibilities to ensure that those involved understand their roles in completing important compliance-impacting activities. Previously, many of these activities were either not assigned, or personnel were unaware of what was expected. In some cases, as organizational structure changes occurred, key roles and responsibilities got lost in the restructure. v4.0 addresses these concerns through increased documentation and validation requirements for all of the “X.1.2.” requirements.
In addition to the increased levels of documentation, there is now a secondary requirement to verify that the roles and responsibilities are assigned as documented and understood by those performing the roles. An assessor will interview those with responsibilities for PCI activities, and personnel must be able to confirm their roles are documented, they are assigned to the individual, the role is understood, and the role is being performed.
Note: The increased level of documented detail needed for these “X.1.2” requirements requires entities to perform an in-depth analysis of their current state to document these roles and responsibilities. Thereafter, it requires entities to maintain this detail as the organization changes. The information from PCI v3.2.1 only scratches the surface, but it can be used as a starting place.
How does this need to be documented?
The Guidance provided by the council for each of the “X.1.2” requirements is the same throughout the Standard and offers some indication of how this is to be documented, stating:
If roles and responsibilities are not formally assigned, personnel may not be aware of their day-to-day responsibilities and critical activities may not occur.
Roles and responsibilities may be documented within policies and procedures or maintained within separate documents.
A method to document roles and responsibilities is a responsibility assignment matrix that includes who is responsible, accountable, consulted, and informed (also called a RACI matrix).
For smaller organizations, documenting this in your policies and procedures might be the most appropriate approach. In larger organizations, a RACI should be considered. A simple RACI chart lists the activities down the vertical axis and the roles across the top, the horizontal axis of a spreadsheet, with R, A, C, and I (Responsible, Accountable, Consulted, and Informed) inserted into the intersecting cells as appropriate.
A hybrid approach could also be used. The Manager or Team Leads’ roles and responsibilities could be documented in the policies, and then the Manager or Team lead roles could be listed on the top axis.
For larger organizations, Online recommends a more detailed approach, as shown in the 'Documentation suggestion' section below.
Implied intent within the Guidance
The Guidance column in the v4.0 Standard gives us insight into the PCI council’s implied intent that personnel should acknowledge their roles and responsibilities in writing; however, the Standard does not require this. There is only the suggestion that it would be a good approach.
|As part of communicating roles and responsibilities, entities can consider having personnel acknowledge their acceptance and understanding of their assigned roles and responsibilities.|
Bottom line, employees will be interviewed during the assessment to confirm they understand their roles and responsibilities as documented. There is no specific requirement around how the information is to be disseminated to employees, nor how often it should be done. One recommendation is to include documented roles and mentions of, or links to, these roles in the job descriptions and human resources documentation that employees sign when accepting a position or changing roles.
Connect the identified individual responsibilities to the DSS by using a worksheet that captures all the requirements and maps them to the various departments and roles.
Setup the worksheet so that all of the requirements are in the first column. Across the top, include the departments and roles within the department. From there, go down the Standard and place an X in the box for each department and role that has anything to do with that particular requirement. This provides a simple and easy-to-reference document that helps all involved understand their roles, activity, and how it relates back to the PCI DSS.
If using the Customized Approach, take note.
A Customized Approach Objective is listed for each of the ”X.1.2” requirements as follows:
|Day-to-day responsibilities for performing all the activities in Requirement “X” are allocated. Personnel are accountable for successful, continuous operation of these requirements.|
Although it’s not specifically stated for the defined approach, the Customized Approach Objectives indicate that there must be accountability tied to the continual performance of these responsibilities. For accountability to exist, there has to be a way to determine that these items are appropriately documented, assigned and that the responsibilities are being performed.
PCI DSS v4.0 requires organizations to identify, document more specifically, and assign the roles and responsibilities for an expanded set of activities throughout the DSS. These changes, and the resulting new requirements, can represent a meaningful amount of work for your teams to address and satisfy. Understanding what is required and determining the gap between what you’ve done in the past is key to being prepared for a v4.0 assessment.
It is important to note that the “X.1.2” requirements are immediately required to be in place upon being assessed against v4.0. These requirements are not being given a reprieve to March 2025.
Online is ready to assist you in developing your PCI program, helping unpack what the v4.0 changes will mean for your organization, and then designing a compliance roadmap to get you there. For additional insight and guidance from Online’s QSA team, explore our digital PCI DSS v4.0 Resource Center, where we have identified and dissected many of the significant changes and new requirements in the latest release of the PCI Standard.
Submit a Comment