12.11.1 Additional requirement for service providers only: Maintain documentation of quarterly review process to include:

PCI DSS v3.2.1 Questions and Answers Forum Maintain an Information Security Policy
1

12.11.1 Additional requirement for service providers only: Maintain documentation of quarterly review process to include:
• Documenting results of the reviews
• Review and sign-off of results by personnel assigned responsibility for the PCI DSS compliance program

12.11.1 Examine documentation from the quarterly reviews to verify they include:
• Documenting results of the reviews
• Review and sign-off of results by personnel assigned responsibility for the PCI DSS compliance program

Note: This requirement applies only when the entity being assessed is a service provider.

The intent of these independent checks is to confirm whether security activities are being performed on an ongoing basis. These reviews can also be used to verify that appropriate evidence is being maintained—for example, audit logs, vulnerability scan reports, firewall reviews, etc.—to assist the entity’s preparation for its next PCI DSS assessment.