In PCI DS, what is required for documentation and communication of physical access policies?

• A. They are optional if data is encrypted.
• B. They only apply to storage devices.
• C. They must be documented, implemented, and communicated to all affected parties.
• D. They must be updated annually but need not be used.

Answer: (C)

Policies for physical access must be formalized and shared. In PCI DSS, the organization needs to have physical access policies that are documented, actually implemented through real controls (like access badges, door alarms, visitor logs, etc.), and communicated to everyone who could be affected—employees, contractors, and third parties—with clear understanding of their roles and responsibilities.

This combination ensures the rules are known and followed, not just written. Encryption does not make these policies optional, and physical access controls cover more than just storage devices or isolated areas; they apply to all areas where cardholder data could be accessed. Policies should be kept current and in effect, not merely updated on a fixed schedule and then ignored.