Document Comparison
PA-DSS_3_0_ROV_RTs_FAQs.pdf
→
PA-DSS-3x-ROV-RTs-FAQs.pdf
57% similar
8 → 6
Pages
3772 → 2612
Words
28
Content Changes
Content Changes
28 content changes. 19 administrative changes (dates, page numbers) hidden.
Added
p. 4
Q 9 I see that some of the Documentation Reviewed instructions in ROV Reporting Template for PA-DSS v3.x are similar to those in the ROC Reporting Template for PCI DSS v3.x, but all of the ones referencing the PA-DSS Implementation Guide contain different instructions to “identify the page number(s)/sections” instead. Why is the Implementation Guide treated differently? A The PA-DSS Implementation Guide is an important part of the payment application being validated, and this adjustment to instructions for reporting on that document reflects the larger goal to support stronger PA-DSS Implementation Guides under PA-DSS v3.x.
Added
p. 5
Q 15 My company wants to have one lead PA-QSA who signs all of the AOVs our group delivers. Is that acceptable or does the signature need to be the person who led the actual assessment? A The PA-QSA signature on the Attestation of Validation (AOV) should be the name and signature of the PA-QSA who led the assessment and who is asserting compliance.
Removed
p. 2
Q 3 How can I transition my PA-DSS v2.0 application to PA-DSS v3.0? A PA-DSS v2.0 payment applications will need to undergo a full PA-DSS v3.0 assessment by a PA-QSA in order for it to be considered for PA-DSS v3.0 validation.
Q 4 I see that some of the Documentation Reviewed instructions in ROV Reporting Template for PA-DSS v3.x are similar to those in the ROC Reporting Template for PCI DSS v3.x, but all of the ones referencing the PA-DSS Implementation Guide contain different instructions to “identify the page number(s)/sections” instead. Why is the Implementation Guide treated differently? A The PA-DSS Implementation Guide is an important part of the payment application being validated, and this adjustment to instructions for reporting on that document reflects the larger goal to support stronger PA-DSS Implementation Guides under PA-DSS v3.x.
Q 4 I see that some of the Documentation Reviewed instructions in ROV Reporting Template for PA-DSS v3.x are similar to those in the ROC Reporting Template for PCI DSS v3.x, but all of the ones referencing the PA-DSS Implementation Guide contain different instructions to “identify the page number(s)/sections” instead. Why is the Implementation Guide treated differently? A The PA-DSS Implementation Guide is an important part of the payment application being validated, and this adjustment to instructions for reporting on that document reflects the larger goal to support stronger PA-DSS Implementation Guides under PA-DSS v3.x.
Modified
p. 2
Q 2 Which Report on Validation (ROV) should I submit for a payment application validated to PA- DSS v3.x? A Payment applications validated to PA-DSS v3.x must use the ROV Reporting Template for v3.x.
Q 2 Which Report on Validation (ROV) should I submit for a payment application validated to PA-DSS v3.x? A Payment applications validated to PA-DSS v3.x must use the corresponding version of the ROV Reporting Template for v3.x. For example, assessments to PA-DSS v3.2 must be reported using the ROV Reporting Template for PA-DSS v3.2.
Modified
p. 2
Note that as of January 1, 2015 all new submissions must adhere to and be submitted in accordance with PA-DSS Program Guide version 3. Be sure to fully understand the differences between the two Program Guides. .
Note that all new submissions must adhere to and be submitted in accordance with the corresponding PA-DSS Program Guide version. Be sure to fully understand the differences between the corresponding Program Guides.
Removed
p. 3
Q 6 I'm confused about when to use which document versions and how to pair them up. Please explain it as simply as possible. A As of January 1, 2015, new application submissions must be against 3.x, and require use of the Reporting Template for 3.x, the version 3.x attestations and the other supporting 3.x documents, such as Program Guide 3.x.
Modified
p. 3 → 2
Q 5 Is use of the ROV Reporting Template for PA-DSS v3.x mandatory? A The ROV Reporting Template for PA-DSS v3.x is mandatory for use by PA-QSAs assessing against PA-DSS v3.x. An assessment against v3.x of the PA-DSS by a PA-QSA must be completed using this Reporting Template, with all grey boxes and response sections completed (even if to note it is not applicable).
Q 1 Is use of the ROV Reporting Template mandatory? A The ROV Reporting Template is mandatory for use by PA-QSAs assessing against PA-DSS. An assessment against the PA-DSS by a PA-QSA must be completed using the corresponding Reporting Template, with all grey boxes and response sections completed (even if to note it is not applicable).
Modified
p. 3 → 2
Q 7 Where can I find the unlocked Microsoft Word version of the ROV Reporting Template for PA-DSS v3.x? A The most up-to-date unlocked Microsoft Word version of the ROV Reporting Template for PA- DSS v3.x is available on the Assessor Portal (www.programs.pcissc.org) for assessors to download. Please be sure to download a clean copy before each assessment, as there may be subsequent changes to the ROV Reporting Template for PA-DSS v3.x during the PA-DSS v3.x lifecycle.
Q 3 Where can I find the unlocked Microsoft Word version of the ROV Reporting Template for PA-DSS v3.x? A The most up-to-date unlocked Microsoft Word version of the ROV Reporting Template for PA- DSS v3.x is available on the Assessor Portal (www.programs.pcissc.org) for assessors to download. Please be sure to download a clean copy before each assessment, as there may be subsequent changes to the ROV Reporting Template for PA-DSS v3.x during the PA-DSS v3.x lifecycle. We've made several …
Modified
p. 3 → 2
Contact your Program Manager directly if you cannot access the Assessor Portal. A PDF version of the ROV Reporting Template for PA-DSS v3.x is available on the PCI SSC website for non- assessor inquiries.
Contact the PA-DSS Program Manager directly if you cannot access the Assessor Portal. A PDF version of the ROV Reporting Template for PA-DSS v3.x is available on the PCI SSC website for non-assessor inquiries.
Modified
p. 3
Q 9 Can our company use our reporting tool to generate the report (such as a PDF generated from HTML), provided that the look and the content closely follow the original? A PCI SSC will allow this, but with the understanding that what your reporting tool produces must include all content from the Reporting Template and look just like the PCI SSC Reporting Template. If it cannot do that, do not use the tool and report directly into the Word …
Q 5 Can our company use our reporting tool to generate the report (such as a PDF generated from HTML), provided that the look and the content closely follow the original? A PCI SSC will allow this, but with the understanding that what your reporting tool produces must include all content from the Reporting Template and look just like the PCI SSC Reporting Template. If it cannot do that, do not use the tool and report directly into the Word …
Removed
p. 4
Q 12 Into what other languages will the ROV Reporting Template for PA-DSS v3.x be translated by
Modified
p. 4 → 3
Q 10 Before I give the final report to my client, can I remove the instruction column? I want it to look as professional as possible. A Do not remove any column from the report, particularly this column. The premise of allowing PA- QSAs to provide these sorts of answers is based on the context the instructions in that column provide. Without the column, the responses are not worth much and really would not make sense. Assessor Quality Management (AQM) …
Q 6 Before I give the final report to my client, can I remove the instruction column? I want it to look as professional as possible. A No, do not remove any column from the report. The premise of allowing PA-QSAs to provide these sorts of answers is based on the context the instructions in that column provide. Without the column, the responses lack that context and really would not make sense. Assessor Quality Management (AQM) believes that your client …
Modified
p. 4 → 3
Q 11 Do ROCs and ROVs need to be compiled only in English or may they be produced in the local language? A There is not a PCI SSC requirement that the ROC or ROV be compiled in English; however, the QSA/PA-QSA will be required to translate to English at their own expense if PCI SSC requests reports, work papers, etc. at any point. Check with the accepting brands/acquirers as to their language requirements.
Q 7 Do ROCs and ROVs need to be compiled only in English or may they be produced in the local language? A There is not a PCI SSC requirement that the ROC or ROV be compiled in English; however, the QSA/PA-QSA will be required to translate to English at their own expense if PCI SSC requests reports, work papers, etc. at any point. Check with the accepting brands/acquirers as to their language requirements.
Modified
p. 4 → 3
PCI SSC? May I translate the document myself? A There are no plans at this time for PCI SSC to translate the ROV Reporting Template for PA- DSS v3.x into any language other than English. However, it is recognized that not all work is done in English and that translations may be necessary. If a PA-QSA translates this document, PCI SSC requires the following:
Q 8 Into what other languages will the ROV Reporting Template for PA-DSS v3.x be translated by PCI SSC? May I translate the document myself? A There are no plans at this time for PCI SSC to translate the ROV Reporting Template for PA- DSS v3.x into any language other than English. However, it is recognized that not all work is done in English and that translations may be necessary. If a PA-QSA translates this document, PCI SSC requires the …
Modified
p. 4
Q 13 What happened to the Reporting Methodology instructions and checkmarks that were in the Reporting Instructions for PA-DSS v2.0, but appear to be missing from the ROV Reporting Template for PA-DSS v3.x? A PCI SSC removed the Reporting Methodology instructions and checkmark columns after determining they were no longer necessary for ROV Reporting Template for PA-DSS v3.x due to the extensive changes that were made between the Reporting Instructions for 2.0 and the Reporting Template for 3.x.
Q 10 What happened to the Reporting Methodology instructions and checkmarks that were in the Reporting Instructions for PA-DSS v2.0, but appear to be missing from the ROV Reporting Template for PA-DSS v3.x? A PCI SSC removed the Reporting Methodology instructions and checkmark columns after determining they were no longer necessary for ROV Reporting Template for PA-DSS v3.x due to the extensive changes that were made between the Reporting Instructions for v2.0 and the Reporting Template for v3.x.
Modified
p. 5 → 4
Q 14 Have requirements for work papers and retention of work papers changed? A Requirements for work papers and retention of work papers have not changed. Assessors are expected to collect evidence to support all findings. As explained in the “Introduction to the ROV Template” section of the ROV Reporting Template for PA-DSS v3.x, work papers contain comprehensive records of the assessment activities including observations, results of system testing, configuration data, file lists, interview notes, documentation excerpts, references, screenshots, and …
Q 11 Have requirements for work papers and retention of work papers changed? A Requirements for work papers and retention of work papers have not changed. Assessors are expected to collect evidence to support all findings. As explained in the “Introduction to the ROV Template” section of the ROV Reporting Template for PA-DSS v3.x, work papers contain comprehensive records of the assessment activities including observations, results of system testing, configuration data, file lists, interview notes, documentation excerpts, references, screenshots, and …
Modified
p. 5
Q 15 How do we ensure that we don’t “repeat or echo the Testing Procedure in the response,” when the responses relate directly to the testing procedures? A With the ROV Reporting Template for PA-DSS v3.x, the Reporting Instruction is present directly next to the PA-QSA’s response field, and that instruction already essentially repeats or echoes the content of the Testing Procedure. There is no need to repeat it once more, and doing so provides none of the assurance that …
Q 12 How do we ensure that we don’t “repeat or echo the Testing Procedure in the response,” when the responses relate directly to the testing procedures? A With the ROV Reporting Template for PA-DSS v3.x, the Reporting Instruction is present directly next to the PA-QSA’s response field, and that instruction already essentially repeats or echoes the content of the Testing Procedure. There is no need to repeat it once more, and doing so provides none of the assurance that …
Modified
p. 5
Q 16 Should every running operating system service and daemon be listed in the ROV? A This testing procedure requires the assessor to identify which services, protocols, daemons, components, and dependent software and hardware are enabled or required by the application, in order to verify that each of these is necessary and secure. The ROV should contain a description of how the assessor verified that all such items were identified and how they were confirmed to be necessary and secure. …
Q 13 Should every operating system and running service/daemon be listed in the ROV? A This testing procedure requires the assessor to identify which services, protocols, daemons, components, and dependent software and hardware are enabled or required by the application, in order to verify that each of these is necessary and secure. The ROV should contain a description of how the assessor verified that all such items were identified and how they were confirmed to be necessary and secure. It …
Modified
p. 5
Q 17 Requirement 13.1 requires observation of development of the PA-DSS Implementation Guide but this document should be developed before the assessment takes place
• how can this be resolved? A This testing procedure verifies that the vendor has a process for developing, maintaining, and disseminating the PA-DSS Implementation Guide. The PA-QSA must briefly describe this process in the ROV and describe how the process was observed to be implemented.
• how can this be resolved? A This testing procedure verifies that the vendor has a process for developing, maintaining, and disseminating the PA-DSS Implementation Guide. The PA-QSA must briefly describe this process in the ROV and describe how the process was observed to be implemented.
Q 14 Requirement 13.1 requires observation of development of the PA-DSS Implementation Guide but this document should be developed before the assessment takes place
• how can this be resolved? A This testing procedure verifies that the vendor has a process for developing, maintaining, and disseminating the PA-DSS Implementation Guide. The PA-QSA must briefly describe this process in the ROV and describe how the process was observed to be implemented.
• how can this be resolved? A This testing procedure verifies that the vendor has a process for developing, maintaining, and disseminating the PA-DSS Implementation Guide. The PA-QSA must briefly describe this process in the ROV and describe how the process was observed to be implemented.
Removed
p. 6
Q 18 My company wants to have one lead PA-QSA who signs all of the AOVs our group delivers.
Is that acceptable or does the signature need to be the person who led the actual assessment? A The PA-QSA signature on the Attestation of Validation (AOV) should be the name and signature of the PA-QSA who led the assessment and who is asserting compliance. This should be more clear in the AOV for 3.x, as the use of the terms “Lead PA-QSA” and “Primary PA-QSA” in the AOV for 2.0 were potentially confusing. The intent, however, does remain the same.
PA-DSS Program Guide Questions PA-DSS Program Guide Updates
Q 19 What are the biggest changes to PA-DSS Program Guide v2.1, in comparison to PA-DSS Program Guide v2.0? A The PA-DSS Program Guide v2.1 contains minor process and terminology updates noted since PA-DSS Program Guide v2.0. We recommend that vendors and PA-QSAs fully review …
Is that acceptable or does the signature need to be the person who led the actual assessment? A The PA-QSA signature on the Attestation of Validation (AOV) should be the name and signature of the PA-QSA who led the assessment and who is asserting compliance. This should be more clear in the AOV for 3.x, as the use of the terms “Lead PA-QSA” and “Primary PA-QSA” in the AOV for 2.0 were potentially confusing. The intent, however, does remain the same.
PA-DSS Program Guide Questions PA-DSS Program Guide Updates
Q 19 What are the biggest changes to PA-DSS Program Guide v2.1, in comparison to PA-DSS Program Guide v2.0? A The PA-DSS Program Guide v2.1 contains minor process and terminology updates noted since PA-DSS Program Guide v2.0. We recommend that vendors and PA-QSAs fully review …
Removed
p. 6
Updated criteria and process for delta assessments Updated section on payment application change types “Change Documentation” section added to clarify process requirements Added section and Appendix B for wildcard versioning Former Appendix B changed to Appendix C (Identification of Certified Payment Application Builds)
• Changed “Quality Assurance Program” section to “Assessor Quality Management Program” and
• Changed “Quality Assurance Program” section to “Assessor Quality Management Program” and
Removed
p. 7
Q 23 Can a No Impact or Low Impact Change (per PA-DSS Program Guide v2.0) be submitted to transition a PA-DSS v2.0 application to PA-DSS v3.x? A No, PA-DSS v2.0 payment applications will need to undergo a full PA-DSS v3.x assessment by a PA-QSA in order for it to be considered for PA-DSS v3.x validation.
Q 25 Can I submit minor changes for a v2.0 payment application after December 31, 2014? A Yes, “minor changes” (as defined in PA-DSS Program Guide v2.1) may be submitted for PA- DSS v2.0 payment applications until October 28, 2016.
Q 26 Does a No Impact or Low Impact change affect an application’s expiry date? A No Impact and Low Impact changes do not have any effect on an application’s expiry date. Such changes may be submitted until the application expires; however, the application will still expire on its scheduled date.
Q 28 Which Program Guide should I …
Q 25 Can I submit minor changes for a v2.0 payment application after December 31, 2014? A Yes, “minor changes” (as defined in PA-DSS Program Guide v2.1) may be submitted for PA- DSS v2.0 payment applications until October 28, 2016.
Q 26 Does a No Impact or Low Impact change affect an application’s expiry date? A No Impact and Low Impact changes do not have any effect on an application’s expiry date. Such changes may be submitted until the application expires; however, the application will still expire on its scheduled date.
Q 28 Which Program Guide should I …
Modified
p. 7 → 6
Revalidation of Listed Payment Applications
Modified
p. 7 → 6
Q 24 Do No Impact changes require change submission to PCI SSC under PA-DSS Program Guide v3.x? A If the vendor has chosen to use a wildcard versioning methodology for managing No Impact changes (in accordance with PA-DSS Program Guide v3.x or higher), Low Impact changes falling within the scope of wildcard usage are not required to be advised to PCI SSC, nor will the changes result in any update to the application listing on the PCI SSC website.
Q 16 Do No Impact changes require change submission to PCI SSC under PA-DSS Program Guide v3.x? A If the vendor has chosen to use a wildcard versioning methodology for managing No Impact changes (in accordance with PA-DSS Program Guide v3.x or higher), Low Impact changes falling within the scope of wildcard usage are not required to be advised to PCI SSC, nor will the changes result in any update to the payment application’s listing on the PCI SSC website.
Modified
p. 7 → 6
If the vendor has not chosen to use a wildcard versioning methodology for managing No Impact changes, No Impact changes will require validation and submittal to PCI SSC.
If the vendor has not chosen to use a wildcard versioning methodology, No Impact changes will require validation and submittal to PCI SSC.
Modified
p. 7 → 6
Q 27 Which Program Guide should I use to submit “minor updates” for 2.0 payment applications? A All changes to PA-DSS v2.0 payment applications must adhere to and be submitted in accordance with PA-DSS Program Guide v2.1. Vendors and assessors are not permitted to mix Program Guides.
Q 17 Which Program Guide should I use to submit Low Impact or No Impact changes for v3.x payment applications? A All changes to PA-DSS v3.x payment applications must adhere to and be submitted in accordance with the corresponding PA-DSS Program Guide. Vendors and assessors are not permitted to mix Program Guides.
Removed
p. 8
Q 29 Which Program Guide should I use to submit revalidations for v2.0 payment applications? A Revalidations for v2.0 payment applications must adhere to and be submitted in accordance with PA-DSS Program Guide v2.1. Revalidations for v2.0 payment applications will be accepted until their expiry date (October 28, 2016), after which time they will be listed as “Acceptable only for Pre-Existing Deployments.” Effective January 1, 2015, all new payment application assessments must adhere to and be submitted in accordance with PA-DSS Program Guide v3.0 in order to be considered for validation and listing as “Acceptable for New Deployments.”
Removed
p. 8
Q 31 Do I need to revalidate my v2.0 payment application after January 1, 2015? A Yes, if the vendor wishes to keep the payment application listed as “Acceptable for New Deployments.” Revalidations for v2.0 payment applications must be submitted (using Program Guide v2.1) until the application expires on October 28, 2016. Payment applications are to be revalidated according to their annual revalidation date, which is based on the date the application was originally accepted. If a vendor chooses to not revalidate their v2.0 payment application, it will be moved to the “Acceptable only for Pre-Existing Deployments” list upon expiring.
Q 35 How can I extend the expiry date of my v2.0 application beyond October 28, 2016? A All v2.0 payment applications expire on October 28, 2016, and will be listed as “Acceptable only for Pre-Existing Deployments” after this date. To extend a payment application’s expiry date and keep it listed …
Q 35 How can I extend the expiry date of my v2.0 application beyond October 28, 2016? A All v2.0 payment applications expire on October 28, 2016, and will be listed as “Acceptable only for Pre-Existing Deployments” after this date. To extend a payment application’s expiry date and keep it listed …