PCI DSSRequirement 12.1.1requires that security policies and procedures be disseminated to all relevant personnel and that those individualsunderstand and acknowledgethe policies. While review and update frequencies are also part of compliance, the most complete and correct answer is that policies must be shared with affected parties.
Option A:Incorrect. Encryption is not specifically required for policy documents.
Option B:Incorrect. Limiting access to only management contradicts the requirement for distribution.
Option C:Incorrect. The correct review cycle per Requirement 12.1.2 isannually, not quarterly.
Option D:Correct. Policies and procedures must be understood and acknowledged by all affected parties.
[Reference:PCI DSS v4.0.1 – Requirement 12.1.1 and 12.1.2., , , ]
Submit