Which statement best describes the overarching requirement for protecting stored cardholder data from a policy perspective?

• A. Security policies and procedures for protecting stored cardholder data must be documented, in use, and known to all affected parties.
• B. They only need to be documented; in use is optional.
• C. They must be circulated to external auditors only.
• D. They must be stored offsite.

Answer: (A)

Policies and procedures for protecting stored cardholder data must be documented, in use, and known to all affected parties. Documenting the policies gives a clear standard for how data should be protected, including controls around access, encryption, retention, and disposal. Requiring that they are in use ensures the documented guidance translates into real, everyday practice rather than sitting on a shelf. Knowing them by all affected parties creates accountability and consistent behavior across the organization. Without any one of these elements, protection can become inconsistent or theoretical. For example, having policies on paper alone doesn’t guarantee they’re followed; sharing only with external auditors doesn’t ensure internal adherence; storing the policies offsite doesn’t guarantee staff awareness or enforcement.