Framework № PCI DSS 4.0 от 01.03.2022

12.4.1
Defined Approach Requirements: 
Additional requirement for service providers only:  Responsibility is established by executive management for the protection of cardholder data and a PCI DSS compliance program to include: 

Customized Approach Objective:
Executives are responsible and accountable for security of cardholder data. 

Applicability Notes:
This requirement applies only when the entity being assessed is a service provider. 
Executive management may include C-level positions, board of directors, or equivalent. The specific titles will depend on the particular organizational structure. 
Responsibility for the PCI DSS compliance program may be assigned to individual roles and/or to business units within the organization. 

Defined Approach Testing Procedures:

Purpose:
Executive management assignment of PCI DSS compliance responsibilities ensures executivelevel visibility into the PCI DSS compliance program and allows for the opportunity to ask appropriate questions to determine the effectiveness of the program and influence strategic priorities. 

12.4.2
Defined Approach Requirements: 
Additional requirement for service providers only: Reviews are performed at least once every three months to confirm that personnel are performing their tasks in accordance with all security policies and operational procedures. Reviews are performed by personnel other than those responsible for performing the given task and include, but are not limited to, the following tasks:

Customized Approach Objective:
The operational effectiveness of critical PCI DSS controls is verified periodically by manual inspection of records. 

Applicability Notes:
This requirement applies only when the entity being assessed is a service provider. 

Defined Approach Testing Procedures:

Purpose:
Regularly confirming that security policies and procedures are being followed provides assurance that the expected controls are active and working as intended. This requirement is distinct from other requirements that specify a task to be performed. The objective of these reviews is not to reperform other PCI DSS requirements, but to confirm that security activities are being performed on an ongoing basis. 

Good Practice:
These reviews can also be used to verify that appropriate evidence is being maintained—for example, audit logs, vulnerability scan reports, reviews of network security control rulesets—to assist in the entity’s preparation for its next PCI DSS assessment. 

Examples:
Looking at Requirement 1.2.7 as one example, Requirement 12.4.2 is met by confirming, at least once every three months, that reviews of configurations of network security controls have occurred at the required frequency. On the other hand, Requirement 1.2.7 is met by reviewing those configurations as specified in the requirement. 

12.4.2.1
Defined Approach Requirements: 
Additional requirement for service providers only: Reviews conducted in accordance with Requirement 12.4.2 are documented to include:

Customized Approach Objective:
Findings from operational effectiveness reviews are evaluated by management; appropriate remediation activities are implemented. 

Applicability Notes:
This requirement applies only when the entity being assessed is a service provider. 

Defined Approach Testing Procedures:

Purpose:
The intent of these independent checks is to confirm whether security activities are being performed on an ongoing basis. These reviews can also be used to verify that appropriate evidence is being maintained—for example, audit logs, vulnerability scan reports, reviews of network security control rulesets—to assist in the entity’s preparation for its next PCI DSS assessment.