In the context of PCI SSC-related validation and compliance reports, the intent of requiring a signature from a “duly authorized officer” is to ensure the Company is aware of and has formally signed off on the work being done together with all associated Company liability for that work. Although the signatory’s job title need not include the term “officer,” the signatory must be formally authorized by the Company to sign such documents on the Company’s behalf, and should be competent and knowledgeable regarding the applicable PCI SSC program and related requirements and duties. Each organization is different, and is ultimately responsible for defining its own policies and job functions based on the Company’s needs and culture.
Examples of signatories that are not “duly authorized officers” include non-employees, attestants or notaries, and any other individual (whether or not employed by the Company) who either is not authorized to make binding commitments on the Company’s behalf and/or are merely attesting to the genuineness of the document or signature by adding their own signature. Signature authority for materials submitted to PCI SSC may not be outsourced to any third party. The duly authorized officer is ultimately accountable for the completeness, accuracy and integrity of the contents of the report.
Article Number 1356