As PCI v3.2.1 phases out, we’ve been fielding numerous questions about meeting specific requirements for PCI DSS 4.0 now and following the new 2025 requirements.
This page is dedicated to answering these frequently asked questions, sharing our expert insights to help you implement the new standards effectively.
Assignment of Responsibility
At a high level, requirements 1-11 begin with assigning responsibility for each specific control objective and are identified as x.1.2, where x is the overall objective (1-11).
While assigning responsibility for requirements 1-11 may seem trivial, Intersec has found that relationships exist between small and large companies.
Completing a Responsible, Accountable, Consulted, and Informed (RACI) matrix versus just placing names or teams on a given requirement spreadsheet will uncover all relationships and ensure everyone knows their roles, responsibilities, and who is accountable.
Doing this correctly the first time ensures your processes will be mature, ease compliance reporting going forward, and will be critical to meet future dated requirement 12.5.3, which requires analysis and documentation due to organizational change (Reduction in Force, Acquisition, Divestiture, etc.).
To complete this task, we often get two questions.
- What does it mean to be Responsible, Accountable, Informed, or Consulted?
- How granular does this need to be? This is going to take a lot of time!
Below, we outline how to execute this task in an efficient manner.
What is a RACI Matrix?
Starting with question one, Forbes has an excellent primer on completing a RACI matrix.
In summary:
- R – Responsible – the person or team responsible for completing a task.
- A – Accountable – the person or team who ensures a task is completed and meets the deliverable.
- C – Consulted – the person or team who provides input or feedback on a given task.
- I – Informed – the person or team who should be informed on progress or issues (typically high-level).
In our experience, different organizations will have various levels of complexity. In smaller organizations with 3-5 people, Requirement 1 may indeed be the same person who is Responsible and Accountable with nobody else consulted or informed. In rare cases, this may be true for larger organizations.
Intersec has found that spending time up front on analysis and going through a detailed RACI exercise uncovers relationships organizations may not have known existed or demonstrated a breakdown in communication between siloed teams that should be remedied.
Free RACI Template
Download a custom RACI template now to follow the recommended steps for each requirement.
How Granular Should A RACI Matrix Be?
Intersec initially suggested within the transition plan that a high-level matrix is all that is required. While this may work for smaller organizations, we have encountered significant complexities in larger organizations and those embracing “Shift-Left” Dev-Ops frameworks.
As a result, we currently recommend all our clients build their matrices using each PCI requirement.
At a high level, Requirements 1.1, 1.2. 1.3 seems straightforward, but when you get into the actual sub-requirements, you will quickly find that there are likely significant differences between responsibility and accountability. For example, requirements 1.2.3 and 1.2.4 ask for diagrams typically maintained by different personnel.
- Requirement 1.2.3 – Ensure a network diagram is maintained, typically assigned to the network administrator.
- Requirement 1.2.4 – Ensure an accurate dataflow diagram is maintained will require developers, architects, and possible network admins.
Assigning these groups at a high level (such as 1.2, as we did in the transition plan example) might be technically accurate but must be clarified.
| RACI MATRIX | Network Admin |
Firewall Admin |
Application Teams |
Platform Teams |
Compliance Teams |
Infosec | Business Manager |
| 1.1 Installing and Maintaining Security Controls | R | R | A | A | C | I | A/I |
| 1.2 Network Security Controls are configured and maintained | R | R | A | A | C | I | A/I |
Most QSAs likely will not make a distinction this year in terms of granularity. However, as previously stated, going through the initial exercise has helped our clients realize they may need to better understand previous inter-organizational interactions that occur to maintain compliance from one year to the next.
Another related question is whether all attributes in a RACI matrix need to be used. The answer is no.
In many cases, you may only see Responsible and Accountable; in some cases, that might be the same team listed as ‘R/A’. We find that every organization, regardless of size, is different. Adding a Notes column to your Matrix may reduce confusion and is also a good idea. For example, a development team and firewall admin may be responsible for implementing security groups and firewall ACLs, respectively, and result in a ‘R’ listed in both columns.
Save time on this process by downloading Intersec’s PCI RACI matrix now.
Interested in gaining more PCI DSS 4.0 expertise? Take a look at our additional resources below.
- What Are the New PCI DSS 4.0 Requirements?
- PCI 4.0 Transition Plan
- Transparent Data Encryption: A Practical Guide to PCI-DSS 4.0
- PCI DSS Password Requirements
