Which statement best describes the PCI DSS requirement for security policies related to vendor defaults and other security parameters?

• A. Security policies and operational procedures for managing vendor defaults and other security parameters must be documented, in use, and known to all affected parties.
• B. Security policies for vendor defaults should be documented but not necessarily in use or communicated.
• C. Vendor defaults are outside the scope of PCI DSS and require no policy.
• D. Only incident response policies need to be documented.

Answer: (B)

Security policies in PCI DSS must be formal, actionable, and everywhere they apply. The requirement is that the security policy addressing information security for all personnel be documented, current, and disseminated so that everyone affected knows the rules and follows them. When it comes to vendor defaults and other security parameters, that means having a policy that is not only written but also put into practice and shared with those who need to know—staff and any external parties involved. Documenting alone isn’t enough; the policy must be actively used to guide configurations (like avoiding vendor-default passwords and applying secure settings) and communicated so people understand their responsibilities. Vendor defaults are within PCI DSS scope because improper defaults can expose cardholder data. Policies focusing only on incident response, or merely existing on paper, would fail to meet the broader governance requirement.