PCI DSSRequirement 12.1.1requires that security policies and procedures be disseminated to all relevant personnel and that those individualsunderstand and acknowledgethe policies. While review and update frequencies are also part of compliance, the most complete and correct answer is that policies must be shared with affected parties.
Option A:Incorrect. Encryption is not specifically required for policy documents.
Option B:Incorrect. Limiting access to only management contradicts the requirement for distribution.
Option C:Incorrect. The correct review cycle per Requirement 12.1.2 isannually, not quarterly.
Option D:Correct. Policies and procedures must be understood and acknowledged by all affected parties.
According toSection 7 – Description of Timeframes Used in PCI DSS Requirements, the PCI DSS defines "quarterly" as:
“An activity performed once per calendar quarter (i.e., one time in each three-month period), or as close as reasonably possible to the calendar quarter.”
Option A:✅Correct. This aligns precisely with PCI DSS’s definition —once in each three-month calendar quarter.
Option B:❌Incorrect. PCI DSS doesnotdefine quarterly by a fixed number of days.
Option C & D:❌Incorrect. Specific dates or months are not prescribed.
[Reference:PCI DSS v4.0.1 – Section 7: Description of Timeframes Used in PCI DSS Requirements., , , ]
