What policy must be maintained regarding information security?

A formal information security policy that applies to all personnel is required because PCI DSS requires a policy that addresses information security for everyone in the organization. This policy sets the security expectations, responsibilities, and controls that staff, contractors, and others with access to cardholder data must follow. It underpins security awareness training, access controls, incident response, and ongoing risk management, ensuring a consistent security posture across the entire organization. A privacy policy focuses on data privacy rights, not the overall information security controls for cardholder data. A financial policy covers financial processes rather than information security. A policy that covers vendors only misses the internal personnel responsibilities that PCI DSS mandates.