Document Comparison
PCI-DSS-v3_2-A3_DESV-S_ROC-Reporting-Template.pdf
→
PCI-DSS-v3-2-1-DESV-S-ROC-Template-r2.pdf
75% similar
26 → 23
Pages
7875 → 7705
Words
99
Content Changes
From Revision History
- December 2018 For use with PCI DSS v3.2.1 To update the template to align with PCI DSS v3.2.1.
- September 2022 For use with PCI DSS v3.2.1 Revision 1
- September 2022 © 2006-2022 PCI Security Standards Council, LLC. All Rights Reserved. Page 3 Introduction to the Supplemental ROC Template for PCI DSS v3.2.1, Appendix A3:
- September 2022 © 2006-202I wo PCI Security Standards Council, LLC. All Rights Reserved. Page 4 Addendum to ROC Reporting Template - Reporting Template for use with PCI DSS
- September 2022 © 2006-2022 PCI Security Standards Council, LLC. All Rights Reserved. Page 5 PCI DSS Requirements
- September 2022 © 2006-2022 PCI Security Standards Council, LLC. All Rights Reserved. Page 6 PCI DSS Requirements
- September 2022 © 2006-2022 PCI Security Standards Council, LLC. All Rights Reserved. Page 7 PCI DSS Requirements
- September 2022 © 2006-2022 PCI Security Standards Council, LLC. All Rights Reserved. Page 8 PCI DSS Requirements
Content Changes
99 content changes. 43 administrative changes (dates, page numbers) hidden.
Added
p. 2
For use with PCI DSS v3.2 Revision 1.0 To update the template to align with PCI DSS v3.2.
Added
p. 4
• Overall accountability for maintaining PCI DSS compliance
• Defining a charter for a PCI DSS compliance program
• Definition of activities for maintaining and monitoring overall PCI DSS compliance, including business as usual activities
• Annual PCI DSS assessment processes
• Processes for the continuous validation of PCI DSS requirements (for example: daily, weekly, quarterly, etc. as applicable per requirement).
• A process for performing business impact analyses to determine potential PCI DSS impacts for strategic business
• Defining a charter for a PCI DSS compliance program
• Definition of activities for maintaining and monitoring overall PCI DSS compliance, including business as usual activities
• Annual PCI DSS assessment processes
• Processes for the continuous validation of PCI DSS requirements (for example: daily, weekly, quarterly, etc. as applicable per requirement).
• A process for performing business impact analyses to determine potential PCI DSS impacts for strategic business
Added
p. 6
• Business impact analyses to determine potential PCI DSS impacts for strategic business decisions <Report Findings Here> Describe how compliance activities were observed to verify that defined processes are implemented for the following:
• Maintaining and monitoring overall PCI DSS compliance, including business as usual activities <Report Findings Here>
• Annual PCI DSS assessment(s) <Report Findings Here>
• Continuous validation of PCI DSS requirements <Report Findings Here>
• Maintaining and monitoring overall PCI DSS compliance, including business as usual activities <Report Findings Here>
• Annual PCI DSS assessment(s) <Report Findings Here>
• Continuous validation of PCI DSS requirements <Report Findings Here>
Added
p. 6
• Managing business impact analyses to determine potential PCI DSS impacts for strategic business decisions
• Managing continuous validation of PCI DSS requirements (for example: daily, weekly, quarterly, etc. as applicable per requirement)
• Managing business impact analyses to determine potential PCI DSS impacts for strategic business decisions Identify the information security policies and procedures document(s) examined to verify that roles and responsibilities are clearly defined and that duties are assigned to include at least the following:
• Managing continuous validation of PCI DSS requirements
• Managing continuous validation of PCI DSS requirements
• Managing business impact analyses to determine potential PCI DSS impacts for strategic business decisions <Report Findings Here> A3.1.3.b Interview responsible personnel and verify they are familiar with and performing their designated PCI DSS compliance responsibilities.
• Managing continuous validation of PCI DSS requirements (for example: daily, weekly, quarterly, etc. as applicable per requirement)
• Managing business impact analyses to determine potential PCI DSS impacts for strategic business decisions Identify the information security policies and procedures document(s) examined to verify that roles and responsibilities are clearly defined and that duties are assigned to include at least the following:
• Managing continuous validation of PCI DSS requirements
• Managing continuous validation of PCI DSS requirements
• Managing business impact analyses to determine potential PCI DSS impacts for strategic business decisions <Report Findings Here> A3.1.3.b Interview responsible personnel and verify they are familiar with and performing their designated PCI DSS compliance responsibilities.
Added
p. 8
• Identifying all in-scope networks and system components
• Identifying all connected entities (e.g. third party entities with access to the cardholder data environment (CDE))
• Identification of all in-scope networks and system components
• Identification of all out-of-scope networks and justification for networks being out of scope, including descriptions of all segmentation controls implemented
• Identification of all in-scope networks and system components <Report Findings Here>
• Identification of all out-of-scope networks and justification for networks being out of scope, including descriptions of all segmentation controls implemented <Report Findings Here>
• Performing a formal PCI DSS impact assessment
• Identifying applicable PCI DSS requirements to the system or network
• Updating PCI DSS scope as appropriate
• A formal PCI DSS impact assessment was performed
• Identifying all connected entities (e.g. third party entities with access to the cardholder data environment (CDE))
• Identification of all in-scope networks and system components
• Identification of all out-of-scope networks and justification for networks being out of scope, including descriptions of all segmentation controls implemented
• Identification of all in-scope networks and system components <Report Findings Here>
• Identification of all out-of-scope networks and justification for networks being out of scope, including descriptions of all segmentation controls implemented <Report Findings Here>
• Performing a formal PCI DSS impact assessment
• Identifying applicable PCI DSS requirements to the system or network
• Updating PCI DSS scope as appropriate
• A formal PCI DSS impact assessment was performed
Added
p. 10
• A formal PCI DSS impact assessment was
• A formal PCI DSS impact assessment was
• Sign-off by responsible personnel (as defined in A3.1.3) was obtained and documented <Report Findings Here> A3.2.2.1 Upon completion of a change, all relevant PCI DSS requirements must be verified on all new or changed systems and networks, and documentation must be updated as applicable. Examples of PCI DSS requirements that should be verified include, but are not limited to:
• Updated network diagram to reflect changes
• Systems are configured per configuration standards, with all default passwords changed and unnecessary services disabled
• Systems are protected with required controls, e.g. file integrity monitoring (FIM), anti-virus, patches, audit logging
• Verification that sensitive authentication data (SAD) is not stored and that all cardholder data (CHD) storage is documented and incorporated into data retention policy and procedures
• New systems are included in the quarterly vulnerability scanning process
• A formal PCI DSS impact assessment was
• Sign-off by responsible personnel (as defined in A3.1.3) was obtained and documented <Report Findings Here> A3.2.2.1 Upon completion of a change, all relevant PCI DSS requirements must be verified on all new or changed systems and networks, and documentation must be updated as applicable. Examples of PCI DSS requirements that should be verified include, but are not limited to:
• Updated network diagram to reflect changes
• Systems are configured per configuration standards, with all default passwords changed and unnecessary services disabled
• Systems are protected with required controls, e.g. file integrity monitoring (FIM), anti-virus, patches, audit logging
• Verification that sensitive authentication data (SAD) is not stored and that all cardholder data (CHD) storage is documented and incorporated into data retention policy and procedures
• New systems are included in the quarterly vulnerability scanning process
Added
p. 12
PCI DSS Requirements and Testing Procedures Reporting Instruction Reporting Details: Assessor’s Response Summary of Assessment Findings A3.2.4 Examine the results from the most recent penetration test to verify that:
• Penetration testing to verify segmentation controls is performed at least every six months and after any changes to segmentation controls/methods,
• The penetration testing covers all segmentation controls/methods in use
• The penetration testing verifies that segmentation controls/methods are operational and effective, and isolate all out-of-scope systems from systems in the CDE.
• The penetration testing verifies that segmentation controls/methods are operational and effective, and isolate all out-of-scope systems from systems in the CDE.
• The penetration testing covers all segmentation controls/methods in use <Report Findings Here>
• Data discovery methodology includes processes for identifying all sources and locations of clear text PAN
• Data discovery methodology includes processes for identifying all sources and locations of clear text PAN
• Penetration testing to verify segmentation controls is performed at least every six months and after any changes to segmentation controls/methods,
• The penetration testing covers all segmentation controls/methods in use
• The penetration testing verifies that segmentation controls/methods are operational and effective, and isolate all out-of-scope systems from systems in the CDE.
• The penetration testing verifies that segmentation controls/methods are operational and effective, and isolate all out-of-scope systems from systems in the CDE.
• The penetration testing covers all segmentation controls/methods in use <Report Findings Here>
• Data discovery methodology includes processes for identifying all sources and locations of clear text PAN
• Data discovery methodology includes processes for identifying all sources and locations of clear text PAN
Added
p. 13
• The process includes verifying the methods are able to discover clear text PAN on all types of system components and file formats in use Identify the personnel interviewed who confirm that;
• The process includes verifying the methods are able to discover clear text PAN on all types of system components and file formats in use <Report Findings Here> Identify the document(s) examined to verify that:
• The process includes verifying the methods are able to discover clear text PAN on all types of system components and file formats in use <Report Findings Here> Identify the document(s) examined to verify that:
Added
p. 16
• physical access controls
• logical access controls
• audit logging mechanisms
• segmentation controls (if used)
• logical access controls
• audit logging mechanisms
• segmentation controls (if used)
Added
p. 17
<Report Findings Here> A3.3.1.1 Respond to failures of any critical security controls in a timely manner. Processes for responding to failures in security controls must include:
Added
p. 17
• Identifying and documenting cause(s) of failure, including root cause, and document remediation required to address root
Added
p. 17
• Resuming monitoring of security controls
Added
p. 18
PCI DSS Requirements and Testing Procedures Reporting Instruction Reporting Details: Assessor’s Response Summary of Assessment Findings A3.3.1.1.a Examine documented policies and procedures and interview personnel to verify processes are defined and implemented to respond to a security control failure, and include:
Added
p. 18
• Resuming monitoring of security Identify the policies and procedures document(s) examined to verify that processes are defined and implemented to respond to a security control failure, and include:
• Resuming monitoring of security controls <Report Findings Here> Identify the personnel interviewed who confirm that processes are defined and implemented to respond to a security control failure, and include:
• Identification of cause(s) of the failure, including root cause
• Identification of cause(s) of the failure, including root cause
• Duration (date and time start and end) of the security failure
• Duration (date and time start and end) of the security failure
<Report Findings Here> A3.3.3 Perform reviews at least quarterly to verify BAU activities are being followed. Reviews must be performed by personnel assigned to the PCI DSS compliance program (as identified in A3.1.3), and include the following:
• Confirm that all BAU activities (e.g. A3.2.2, A3.2.6, and A3.3.1) are being performed
• Confirm that personnel …
• Resuming monitoring of security controls <Report Findings Here> Identify the personnel interviewed who confirm that processes are defined and implemented to respond to a security control failure, and include:
• Identification of cause(s) of the failure, including root cause
• Identification of cause(s) of the failure, including root cause
• Duration (date and time start and end) of the security failure
• Duration (date and time start and end) of the security failure
<Report Findings Here> A3.3.3 Perform reviews at least quarterly to verify BAU activities are being followed. Reviews must be performed by personnel assigned to the PCI DSS compliance program (as identified in A3.1.3), and include the following:
• Confirm that all BAU activities (e.g. A3.2.2, A3.2.6, and A3.3.1) are being performed
• Confirm that personnel …
Added
p. 22
• Response to alerts in accordance with documented response procedures
Added
p. 23
• Issuance of timely alerts to responsible
• Issuance of timely alerts to responsible personnel
• Issuance of timely alerts to responsible personnel
• Issuance of timely alerts to responsible personnel
• Issuance of timely alerts to responsible personnel
Modified
p. 3
This “Supplemental ROC Template” or “S-ROC” document is to be completed according to the same instructions provided in the Reporting Template for PCI DSS v3.2. Refer to the Reporting Template(s) for use with PCI DSS v3.2 and the ROC Reporting Template for PCI DSS v3.x: Frequently Asked Questions (FAQs) documents on the PCI SSC website for detailed instruction on how to complete these reporting templates. As such, do not delete any content from any place in this document, including this …
This “Supplemental ROC Template” or “S-ROC” document is to be completed according to the same instructions provided in the Reporting Template for PCI DSS v3.2.1. Refer to the Reporting Template(s) for use with PCI DSS v3.2.1 and the ROC Reporting Template for PCI DSS v3.x: Frequently Asked Questions (FAQs) documents on the PCI SSC website for detailed instruction on how to complete these reporting templates. As such, do not delete any content from any place in this document, including this …
Modified
p. 3
The “S-ROC” template is an addendum to the ROC Reporting Template and is not intended to stand alone. Because of this, details related to Scope of Work, Details of Reviewed Environment and so on that are applicable to the environment reviewed for the S-ROC must be included in the applicable sections in the full ROC for that entity. For example, the list of interviewees in the full ROC should also include any persons interviewed during assessment of the PCI DSS …
The “S-ROC” template is an addendum to the ROC Reporting Template and is not intended to stand alone. Because of this, details related to Scope of Work, Details of Reviewed Environment and so on that are applicable to the environment reviewed for the S-ROC must be included in the applicable sections in the full ROC for that entity. For example, the list of interviewees in the full ROC should also include any persons interviewed during assessment of the PCI DSS …
Modified
p. 4
PCI DSS Requirements and Testing Procedures Reporting Instruction Reporting Details: Assessor’s Response Summary of Assessment Findings (check one) In Place w/ CCW N/A A3.1 Implement a PCI DSS compliance program A3.1.1 Executive management shall establish responsibility for the protection of cardholder data and a PCI DSS compliance program to include:
PCI DSS Requirements and Testing Procedures Reporting Instruction Reporting Details: Assessor’s Response Summary of Assessment Findings A3.1 Implement a PCI DSS compliance program In Place In Place w/ CCW N/A A3.1.1 Executive management shall establish responsibility for the protection of cardholder data and a PCI DSS compliance program to include:
Modified
p. 4
• Provide updates to executive management and board of directors on PCI DSS compliance initiatives and issues, including remediation activities, at least annually.
Removed
p. 5
Definition of activities for maintaining and monitoring overall PCI DSS compliance, including business as usual activities Annual PCI DSS assessment processes Processes for the continuous validation of PCI DSS requirements (for example: daily, weekly, quarterly, etc. as applicable per requirement). A process for performing business impact analyses to determine potential PCI DSS impacts for strategic business
Modified
p. 5
PCI DSS Requirements and Testing Procedures Reporting Instruction Reporting Details: Assessor’s Response Summary of Assessment Findings (check one) In Place w/ CCW N/A A3.1.2 A formal PCI DSS compliance program must be in place to include:
PCI DSS Requirements and Testing Procedures Reporting Instruction Reporting Details: Assessor’s Response Summary of Assessment Findings A3.1.2 A formal PCI DSS compliance program must be in place to include:
Modified
p. 5
PCI DSS Reference: Requirements 1-12 A3.1.2.a Examine information security policies and procedures to verify that processes are specifically defined for the following:
PCI DSS Reference: Requirements 1-12 In Place w/ CCW N/A A3.1.2.a Examine information security policies and procedures to verify that processes are specifically defined for the following:
Modified
p. 5
• Business impact analyses to determine potential PCI DSS impacts for strategic business decisions Identify the information security policies and procedures document(s) examined to verify that processes are specifically defined for the following:
Removed
p. 6
Maintaining and monitoring overall PCI DSS compliance, including business as usual activities Annual PCI DSS assessment(s) Continuous validation of PCI DSS requirements Business impact analyses to determine potential PCI DSS impacts for strategic business decisions <Report Findings Here> Describe how compliance activities were observed to verify that defined processes are implemented for the following:
Modified
p. 6
PCI DSS Requirements and Testing Procedures Reporting Instruction Reporting Details: Assessor’s Response Summary of Assessment Findings (check one) In Place w/ CCW N/A A3.1.2.b Interview personnel and observe compliance activities to verify that the defined processes are implemented for the following:
PCI DSS Requirements and Testing Procedures Reporting Instruction Reporting Details: Assessor’s Response Summary of Assessment Findings A3.1.2.b Interview personnel and observe compliance activities to verify that the defined processes are implemented for the following:
Modified
p. 6
• Business impact analyses to determine potential PCI DSS impacts for strategic business decisions Identify the personnel interviewed who confirm that defined processes are implemented for:
Modified
p. 6
• Business impact analyses to determine potential PCI DSS impacts for strategic business decisions <Report Findings Here> A3.1.3 PCI DSS compliance roles and responsibilities must be specifically defined and formally assigned to one or more personnel, including at least the following:
Modified
p. 6
• Managing continuous validation of PCI DSS requirements (for example: daily, weekly, quarterly, etc. as applicable per requirement)
Removed
p. 7
Managing PCI DSS business as usual activities Managing annual PCI DSS assessments Managing continuous validation of
PCI DSS requirements (for example: daily, weekly, quarterly, etc. as applicable per requirement) Managing business impact analyses to determine potential PCI DSS impacts for strategic business decisions Identify the information security policies and procedures document(s) examined to verify that roles and responsibilities are clearly defined and that duties are assigned to include at least the following:
Managing PCI DSS business as usual activities Managing annual PCI DSS assessments Managing continuous validation of PCI DSS requirements Managing business impact analyses to determine potential PCI DSS impacts for strategic business decisions <Report Findings Here> A3.1.3.b Interview responsible personnel and verify they are familiar with and performing their designated PCI DSS compliance responsibilities.
PCI DSS requirements (for example: daily, weekly, quarterly, etc. as applicable per requirement) Managing business impact analyses to determine potential PCI DSS impacts for strategic business decisions Identify the information security policies and procedures document(s) examined to verify that roles and responsibilities are clearly defined and that duties are assigned to include at least the following:
Managing PCI DSS business as usual activities Managing annual PCI DSS assessments Managing continuous validation of PCI DSS requirements Managing business impact analyses to determine potential PCI DSS impacts for strategic business decisions <Report Findings Here> A3.1.3.b Interview responsible personnel and verify they are familiar with and performing their designated PCI DSS compliance responsibilities.
Modified
p. 7
PCI DSS Requirements and Testing Procedures Reporting Instruction Reporting Details: Assessor’s Response Summary of Assessment Findings (check one) In Place w/ CCW N/A A3.1.3.a Examine information security policies and procedures and interview personnel to verify that roles and responsibilities are clearly defined and that duties are assigned to include at least the following:
PCI DSS Requirements and Testing Procedures Reporting Instruction Reporting Details: Assessor’s Response Summary of Assessment Findings A3.1.3.a Examine information security policies and procedures and interview personnel to verify that roles and responsibilities are clearly defined and that duties are assigned to include at least the following:
Modified
p. 7
• Managing business impact analyses to determine potential PCI DSS impacts for strategic business decisions <Report Findings Here> Identify the personnel interviewed who confirm that roles and responsibilities are clearly defined and that duties are assigned to include at least the following:
Modified
p. 8 → 7
<Report Findings Here> A3.1.4 Provide up-to-date PCI DSS and/or information security training at least annually to personnel with PCI DSS compliance responsibilities (as identified in A3.1.3).
Modified
p. 8 → 7
PCI DSS Reference: Requirement 12 A3.1.4.a Examine information security policies and procedures to verify that PCI DSS and/or similar information security training is required at least annually for each role with PCI DSS compliance responsibilities.
PCI DSS Reference: Requirement 12 In Place w/ CCW N/A A3.1.4.a Examine information security policies and procedures to verify that PCI DSS and/or similar information security training is required at least annually for each role with PCI DSS compliance responsibilities.
Modified
p. 8
PCI DSS Requirements and Testing Procedures Reporting Instruction Reporting Details: Assessor’s Response Summary of Assessment Findings A3.1.4.b Interview personnel and examine certificates of attendance or other records to verify that personnel with PCI DSS compliance responsibility receive up-to-date PCI DSS and/or similar information security training at least annually.
Modified
p. 8
<Report Findings Here> Identify the certificates of attendance or other records examined to verify that personnel with PCI DSS compliance responsibility receive up-to- date PCI DSS and/or similar information security training at least annually.
<Report Findings Here> Identify the certificates of attendance or other records examined to verify that personnel with PCI DSS compliance responsibility receive up-to-date PCI DSS and/or similar information security training at least annually.
Modified
p. 8
<Report Findings Here> A3.2 Document and validate PCI DSS scope A3.2.1 Document and confirm the accuracy of PCI DSS scope at least quarterly and upon significant changes to the in- scope environment. At a minimum, the quarterly scoping validation should include:
<Report Findings Here> A3.2 Document and validate PCI DSS scope In Place In Place w/ CCW N/A A3.2.1 Document and confirm the accuracy of PCI DSS scope at least quarterly and upon significant changes to the in-scope environment. At a minimum, the quarterly scoping validation should include:
Modified
p. 8
• Identifying all out-of-scope networks and justification for networks being out of scope, including descriptions of all segmentation controls implemented
Modified
p. 8
• After significant changes to the in- scope environment Identify the documented results of scope reviews examined to verify that the reviews are performed:
Modified
p. 9 → 8
• After significant changes to the in-scope environment <Report Findings Here> Identify the personnel interviewed who confirm that the reviews are performed:
Modified
p. 9
PCI DSS Requirements and Testing Procedures Reporting Instruction Reporting Details: Assessor’s Response Summary of Assessment Findings (check one) In Place w/ CCW N/A Place After significant changes to the in-scope environment Identify the personnel interviewed who confirm that the reviews are performed:
PCI DSS Requirements and Testing Procedures Reporting Instruction Reporting Details: Assessor’s Response Summary of Assessment Findings A3.2.1.b Examine documented results of quarterly scope reviews to verify the following is performed:
Modified
p. 9
• Identification of all connected entities (e.g. third party entities with access to the CDE) Using the documented results of quarterly scope review identified at DE 2.1.a, describe how the documented results of quarterly scope reviews were observed to verify that the following is performed:
Modified
p. 9
• Identification of all connected entities <Report Findings Here> A3.2.2 Determine PCI DSS scope impact for all changes to systems or networks, including additions of new systems and new network connections. Processes must include:
Modified
p. 9
• Documented sign-off of the results of the impact assessment by responsible personnel (as defined in A3.1.3)
Removed
p. 10
A formal PCI DSS impact assessment was PCI DSS requirements applicable to the system or network changes were identified PCI DSS scope was updated as appropriate for the change Sign-off by responsible personnel (as defined in A3.1.3) was obtained and documented <Report Findings Here> A3.2.2.1 Upon completion of a change, all relevant PCI DSS requirements must be verified on all new or changed systems and networks, and documentation must be updated as applicable. Examples of PCI DSS requirements that should be verified include, but are not limited to:
Modified
p. 10
PCI DSS Requirements and Testing Procedures Reporting Instruction Reporting Details: Assessor’s Response Summary of Assessment Findings (check one) In Place w/ CCW N/A A3.2.2 Examine change documentation and interview personnel to verify that for each change to systems or networks:
PCI DSS Requirements and Testing Procedures Reporting Instruction Reporting Details: Assessor’s Response Summary of Assessment Findings A3.2.2 Examine change documentation and interview personnel to verify that for each change to systems or networks:
Modified
p. 10
• Sign-off by responsible personnel (as defined in A3.1.3) was obtained and documented Identify the change documentation examined to verify that for each change to systems or networks:
Modified
p. 10
• Sign-off by responsible personnel (as defined in A3.1.3) was obtained and documented <Report Findings Here> Identify the personnel interviewed who confirm that for each change to systems or networks:
Modified
p. 11
PCI DSS Requirements and Testing Procedures Reporting Instruction Reporting Details: Assessor’s Response Summary of Assessment Findings (check one) In Place w/ CCW N/A A3.2.2.1 For a sample of systems and network changes, examine change records, interview personnel and observe the affected systems/networks to verify that applicable PCI DSS requirements were implemented and documentation updated as part of the change.
PCI DSS Requirements and Testing Procedures Reporting Instruction Reporting Details: Assessor’s Response Summary of Assessment Findings A3.2.2.1 For a sample of systems and network changes, examine change records, interview personnel and observe the affected systems/networks to verify that applicable PCI DSS requirements were implemented and documentation updated as part of the change.
Modified
p. 11
PCI DSS Reference: Requirement 12 A3.2.3 Examine policies and procedures to verify that a change to organizational structure results in formal review of the impact to PCI DSS scope and applicability of controls.
PCI DSS Reference: Requirement 12 In Place w/ CCW N/A A3.2.3 Examine policies and procedures to verify that a change to organizational structure results in formal review of the impact to PCI DSS scope and applicability of controls.
Modified
p. 11 → 12
<Report Findings Here> For the most recent penetration test, describe how examination of the results from the most recent penetration test verify that:
Modified
p. 11 → 12
Is segmentation in use? (yes/no) If no, mark the remainder of DE 2.4 as “not applicable.” <Report Findings Here> Identify the date of the most recent penetration test for which results are being examined.
Removed
p. 12
PCI DSS Requirements and Testing Procedures Reporting Instruction Reporting Details: Assessor’s Response Summary of Assessment Findings (check one) In Place w/ CCW N/A Place performed at least every six months and after any changes to segmentation controls/methods, The penetration testing covers all segmentation controls/methods in use The penetration testing verifies that segmentation controls/methods are operational and effective, and isolate all out-of-scope systems from systems in the CDE.
Modified
p. 12
• Penetration testing to verify segmentation controls is performed at least every six months and after any changes to segmentation controls/methods, <Report Findings Here>
Modified
p. 13 → 12
<Report Findings Here> A3.2.5 Implement a data discovery methodology to confirm PCI DSS scope and to locate all sources and locations of clear text PAN at least quarterly, and upon significant changes to the cardholder environment or processes.
Modified
p. 13 → 12
PCI DSS Reference: Scope of PCI DSS Requirements A3.2.5.a Examine documented data discovery methodology to verify the following:
PCI DSS Reference: Scope of PCI DSS Requirements In Place w/ CCW N/A A3.2.5.a Examine documented data discovery methodology to verify the following:
Modified
p. 13 → 12
• Methodology takes into consideration the potential for clear text PAN to reside on systems and networks outside of the currently defined CDE.
Modified
p. 13 → 12
• Methodology takes into consideration the potential for clear text PAN to reside on systems and networks outside of the currently defined CDE.
Modified
p. 13
PCI DSS Requirements and Testing Procedures Reporting Instruction Reporting Details: Assessor’s Response Summary of Assessment Findings A3.2.5.b Examine results from recent data discovery efforts, and interview responsible personnel to verify that data discovery is performed at least quarterly and upon significant changes to the cardholder environment or processes Describe the results from recent data discovery efforts examined to verify that data discovery is performed at least quarterly and upon significant changes to the cardholder environment or processes.
Removed
p. 14
PCI DSS Requirements and Testing Procedures Reporting Instruction Reporting Details: Assessor’s Response Summary of Assessment Findings (check one) In Place w/ CCW N/A A3.2.5.1.a Interview personnel and review documentation to verify:
The entity has a process in place to test the effectiveness of methods used for data discovery The process includes verifying the methods are able to discover clear text PAN on all types of system components and file formats in use Identify the personnel interviewed who confirm that; The entity has a process in place to test the effectiveness of methods used for data discovery The process includes verifying the methods are able to discover clear text PAN on all types of system components and file formats in use <Report Findings Here> Identify the document(s) examined to verify that:
The entity has a process in place to test the effectiveness of methods used for data discovery The process includes verifying the methods are able to discover clear text PAN on all types of system components and file formats in use Identify the personnel interviewed who confirm that; The entity has a process in place to test the effectiveness of methods used for data discovery The process includes verifying the methods are able to discover clear text PAN on all types of system components and file formats in use <Report Findings Here> Identify the document(s) examined to verify that:
Modified
p. 14 → 13
• The process includes verifying the methods are able to discover clear text PAN on all types of system components and file formats in use <Report Findings Here> A3.2.5.1.b Examine the results of recent effectiveness tests to verify the effectiveness of methods used for data discovery is confirmed at least annually.
Modified
p. 14
PCI DSS Requirements and Testing Procedures Reporting Instruction Reporting Details: Assessor’s Response Summary of Assessment Findings A3.2.5.2 Implement response procedures to be initiated upon the detection of clear text PAN outside of the CDE to include:
Removed
p. 15
Procedures for determining what to do if clear text PAN is discovered outside of the CDE, including its retrieval, secure deletion and/or migration into the currently defined CDE, as applicable Procedures for determining how the data ended up outside the CDE Procedures for remediating data leaks or process gaps that resulted in the data being outside of the CDE Procedures for identifying the source of the data Procedures for identifying any other track data stored with the PANs Identify the response procedures document(s) examined to verify that procedures for responding to the detection of clear text PAN outside of the CDE are defined and include:
Modified
p. 15 → 14
• Procedures for identifying if any track data is stored with the PANs In Place w/ CCW N/A A3.2.5.2.a Examine documented response procedures to verify that procedures for responding to the detection of clear text PAN outside of the CDE are defined and include:
Modified
p. 16 → 15
PCI DSS Requirements and Testing Procedures Reporting Instruction Reporting Details: Assessor’s Response Summary of Assessment Findings (check one) In Place w/ CCW N/A A3.2.6 Implement mechanisms for detecting and preventing clear text PAN from leaving the CDE via an unauthorized channel, method or process, including generation of audit logs and alerts.
PCI DSS Requirements and Testing Procedures Reporting Instruction Reporting Details: Assessor’s Response Summary of Assessment Findings A3.2.6 Implement mechanisms for detecting and preventing clear text PAN from leaving the CDE via an unauthorized channel, method or process, including generation of audit logs and alerts.
Modified
p. 16 → 15
PCI DSS Reference: Scope of PCI DSS Requirements A3.2.6.a Examine documentation and observe implemented mechanisms to verify that the mechanisms are:
PCI DSS Reference: Scope of PCI DSS Requirements In Place w/ CCW N/A A3.2.6.a Examine documentation and observe implemented mechanisms to verify that the mechanisms are:
Modified
p. 16 → 15
• Generating logs and alerts upon detection of clear text PAN leaving the CDE via an unauthorized channel, method or process Identify the document(s) examined to verify that mechanisms are:
Modified
p. 16 → 15
• Generating logs and alerts upon detection of clear text PAN leaving the CDE via an unauthorized channel, method or process <Report Findings Here> Describe the implemented mechanisms observed to verify that mechanisms are:
Modified
p. 16 → 15
• Generating logs and alerts upon detection of clear text PAN leaving the CDE via an unauthorized channel, method or process <Report Findings Here> A3.2.6.b Examine audit logs and alerts, and interview responsible personnel to verify that alerts are investigated.
Modified
p. 17 → 16
PCI DSS Requirements and Testing Procedures Reporting Instruction Reporting Details: Assessor’s Response Summary of Assessment Findings (check one) In Place w/ CCW N/A A3.2.6.1.a Examine documented response procedures to verify that procedures for responding to the attempted removal of clear text PAN from the CDE via an unauthorized channel, method or process include:
PCI DSS Requirements and Testing Procedures Reporting Instruction Reporting Details: Assessor’s Response Summary of Assessment Findings A3.2.6.1.a Examine documented response procedures to verify that procedures for responding to the attempted removal of clear text PAN from the CDE via an unauthorized channel, method or process include:
Modified
p. 17 → 16
• Procedures for remediating data leaks or process gaps, as necessary, to prevent any data loss Identify the response procedures document(s) examined to verify that procedures for responding to the attempted removal of clear text PAN from the CDE via an unauthorized channel, method or process include:
Removed
p. 18
firewalls IDS/IPS FIM anti-virus physical access controls logical access controls audit logging mechanisms segmentation controls (if used)
PCI DSS Reference: Requirements 1-12 A3.3.1.a Examine documented policies and procedures to verify that processes are defined to immediately detect and alert on critical security control failures.
PCI DSS Reference: Requirements 1-12 A3.3.1.a Examine documented policies and procedures to verify that processes are defined to immediately detect and alert on critical security control failures.
Modified
p. 18 → 17
PCI DSS Requirements and Testing Procedures Reporting Instruction Reporting Details: Assessor’s Response Summary of Assessment Findings (check one) In Place w/ CCW N/A A3.3.1 Implement a process to immediately detect and alert on critical security control failures. Examples of critical security controls include, but are not limited to:
PCI DSS Requirements and Testing Procedures Reporting Instruction Reporting Details: Assessor’s Response Summary of Assessment Findings A3.3.1.a Examine documented policies and procedures to verify that processes are defined to immediately detect and alert on critical security control failures.
Removed
p. 19
Restoring security functions Identifying and documenting the duration (date and time start to end) of the security failure Identifying and documenting cause(s) of failure, including root cause, and document remediation required to address root cause Identifying and addressing any security issues that arose during the failure Performing a risk assessment to determine if further actions are required as a result of the security failure Implementing controls to prevent cause of failure from reoccurring Resuming monitoring of security controls PCI DSS Reference: Requirements 1-12 A3.3.1.1.a Examine documented policies and procedures and interview personnel to verify processes are defined and implemented to respond to a security control failure, and include:
Restoring security functions Identifying and documenting the duration (date and time start to end) of the security failure Identifying and documenting cause(s) of failure, including root cause, and document remediation required to address …
Restoring security functions Identifying and documenting the duration (date and time start to end) of the security failure Identifying and documenting cause(s) of failure, including root cause, and document remediation required to address …
Modified
p. 19
PCI DSS Requirements and Testing Procedures Reporting Instruction Reporting Details: Assessor’s Response Summary of Assessment Findings (check one) In Place w/ CCW N/A A3.3.1.1 Respond to failures of any critical security controls in a timely manner. Processes for responding to failures in security controls must include:
PCI DSS Requirements and Testing Procedures Reporting Instruction Reporting Details: Assessor’s Response Summary of Assessment Findings A3.3.1.1.b Examine records to verify that security control failures are documented to include:
Removed
p. 20
PCI DSS Requirements and Testing Procedures Reporting Instruction Reporting Details: Assessor’s Response Summary of Assessment Findings (check one) In Place w/ CCW N/A Place Performing a risk assessment to determine if further actions are required as a result of the security failure Implementing controls to prevent cause of failure from reoccurring Resuming monitoring of security Identify the personnel interviewed who confirm that processes are defined and implemented to respond to a security control failure, and include:
Restoring security functions Identifying and documenting the duration (date and time start to end) of the security failure Identifying and documenting cause(s) of failure, including root cause, and document remediation required to address root cause Identifying and addressing any security issues that arose during the failure Performing a risk assessment to determine if further actions are required as a result of the security failure Implementing controls …
Restoring security functions Identifying and documenting the duration (date and time start to end) of the security failure Identifying and documenting cause(s) of failure, including root cause, and document remediation required to address root cause Identifying and addressing any security issues that arose during the failure Performing a risk assessment to determine if further actions are required as a result of the security failure Implementing controls …
Modified
p. 20 → 19
• Details of the remediation required to address the root cause Identify the records of security control failures examined to verify that security control failures are documented to include:
Modified
p. 21 → 19
• Details of the remediation required to address the root cause <Report Findings Here> A3.3.2 Review hardware and software technologies at least annually to confirm whether they continue to meet the organization’s PCI DSS requirements. (For example, a review of technologies that are no longer supported by the vendor, and/or no longer meet the security needs of the organization.) The process includes a plan for remediating technologies that no longer meet the organization’s PCI DSS requirements, up to and including …
Modified
p. 21 → 19
PCI DSS Reference: Requirement 2, 6 A3.3.2.a Examine documented policies and procedures and interview personnel to verify processes are defined and implemented to review hardware and software technologies to confirm whether they continue to meet the organization’s PCI DSS requirements.
PCI DSS Reference: Requirement 2, 6 In Place w/ CCW N/A A3.3.2.a Examine documented policies and procedures and interview personnel to verify processes are defined and implemented to review hardware and software technologies to confirm whether they continue to meet the organization’s PCI DSS requirements.
Modified
p. 21 → 20
PCI DSS Requirements and Testing Procedures Reporting Instruction Reporting Details: Assessor’s Response Summary of Assessment Findings A3.3.2.c For any technologies that have been determined to no longer meet the organization’s PCI DSS requirements, verify a plan is in place to remediate the technology.
Removed
p. 22
Confirm that all BAU activities (e.g. A3.2.2, A3.2.6, and A3.3.1) are being performed Confirm that personnel are following security policies and operational procedures (for example, daily log reviews, firewall rule-set reviews, configuration standards for new systems, etc.) Document how the reviews were completed, including how all BAU activities were verified as being in place Collection of documented evidence as required for the annual PCI DSS assessment Review and sign off of results by personnel assigned responsibility for the PCI DSS compliance program (as identified in A3.1.3) Retention of records and documentation, for at least 12 months, covering all BAU activities
Modified
p. 22 → 21
PCI DSS Requirements and Testing Procedures Reporting Instruction Reporting Details: Assessor’s Response Summary of Assessment Findings (check one) In Place w/ CCW N/A A3.3.3 Perform reviews at least quarterly to verify BAU activities are being followed. Reviews must be performed by personnel assigned to the PCI DSS compliance program (as identified in A3.1.3), and include the following:
PCI DSS Requirements and Testing Procedures Reporting Instruction Reporting Details: Assessor’s Response Summary of Assessment Findings A3.3.3.a Examine policies and procedures to verify that processes are defined for reviewing and verifying BAU activities. Verify the procedures include:
Removed
p. 23
Confirming that all BAU activities (e.g. A3.2.2, A3.2.6, and A3.3.1) are being performed Confirming that personnel are following security policies and operational procedures (for example, daily log reviews, firewall rule-set reviews, configuration standards for new systems, etc.) Documenting how the reviews were completed, including how all BAU activities were verified as being in place Collecting documented evidence as required for the annual PCI DSS assessment Reviewing and sign off of results by executive management assigned responsibility for PCI DSS governance Retaining records and documentation, for at least 12 months, covering all BAU activities Identify the policies and procedures document(s) examined to verify that processes are defined for reviewing and verifying BAU activities. Verify the procedures include:
Modified
p. 23 → 22
PCI DSS Requirements and Testing Procedures Reporting Instruction Reporting Details: Assessor’s Response Summary of Assessment Findings (check one) In Place w/ CCW N/A A3.3.3.a Examine policies and procedures to verify that processes are defined for reviewing and verifying BAU activities. Verify the procedures include:
PCI DSS Requirements and Testing Procedures Reporting Instruction Reporting Details: Assessor’s Response Summary of Assessment Findings A3.4 Control and manage logical access to the cardholder data environment. In Place In Place w/ CCW N/A A3.4.1 Review user accounts and access privileges to in-scope system components at least every six months to ensure user accounts and access remain appropriate, based on job function, and authorized.
Removed
p. 24
PCI DSS Requirements and Testing Procedures Reporting Instruction Reporting Details: Assessor’s Response Summary of Assessment Findings (check one) In Place w/ CCW N/A A3.3.3.b Interview responsible personnel and examine records of reviews to verify that:
Reviews are performed by personnel assigned to the PCI DSS compliance program Reviews are performed at least quarterly <Report Findings Here> A3.4 Control and manage logical access to the cardholder data environment.
Reviews are performed by personnel assigned to the PCI DSS compliance program Reviews are performed at least quarterly <Report Findings Here> A3.4 Control and manage logical access to the cardholder data environment.
Modified
p. 24 → 21
• Reviews are performed at least quarterly Identify the responsible personnel interviewed who confirm that:
Modified
p. 24 → 21
• Reviews are performed at least quarterly <Report Findings Here> Identify the records of reviews document(s) examined to verify that:
Modified
p. 24 → 22
• Reviews confirm that access is appropriate based on job function, and that all access is authorized Identify the personnel interviewed who confirm that:
Modified
p. 24 → 22
• Reviews confirm that access is appropriate based on job function, and that all access is authorized <Report Findings Here> Identify the supporting document(s) examined to verify that:
Removed
p. 25
Identification of anomalies or suspicious activity as they occur Issuance of timely alerts to responsible Response to alerts in accordance with documented response procedures <Report Findings Here> Identify the personnel interviewed who confirm that a methodology is defined and implemented to identify attack patterns and undesirable behavior across systems in a timely manner, and includes the following:
Modified
p. 25 → 22
A3.5.1 Implement a methodology for the timely identification of attack patterns and undesirable behavior across systems (for example, using coordinated manual reviews and/or using centrally-managed or automated log correlation tools) to include at least the following:
• Reviews confirm that access is appropriate based on job function, and that all access is authorized <Report Findings Here> A3.5 Identify and respond to suspicious events. In Place In Place w/ CCW N/A A3.5.1 Implement a methodology for the timely identification of attack patterns and undesirable behavior across systems (for example, using coordinated manual reviews and/or using centrally-managed or automated log correlation tools) to include at least the following:
Modified
p. 25 → 22
• Issuance of timely alerts upon detection of suspicious activity or anomaly to responsible personnel
Modified
p. 25 → 23
PCI DSS Requirements and Testing Procedures Reporting Instruction Reporting Details: Assessor’s Response Summary of Assessment Findings (check one) In Place w/ CCW N/A A3.5 Identify and respond to suspicious events.
PCI DSS Requirements and Testing Procedures Reporting Instruction Reporting Details: Assessor’s Response Summary of Assessment Findings A3.5.1.a Review documentation and interview personnel to verify a methodology is defined and implemented to identify attack patterns and undesirable behavior across systems in a timely manner, and includes the following:
Modified
p. 25 → 23
• Response to alerts in accordance with documented response procedures <Report Findings Here> Identify the personnel interviewed who confirm that a methodology is defined and implemented to identify attack patterns and undesirable behavior across systems in a timely manner, and includes the following:
Modified
p. 25 → 23
• Response to alerts in accordance with documented response procedures Identify the policies and procedures document(s) examined to verify that a methodology is defined and implemented to identify attack patterns and undesirable behavior across systems in a timely manner, and includes the following:
Modified
p. 26 → 23
• Response to alerts in accordance with documented response procedures <Report Findings Here> A3.5.1.b Examine incident response procedures and interview responsible personnel to verify that:
Modified
p. 26 → 23
• Alerts are responded to per documented response procedures Identify the incident response procedures document(s) examined to verify that:
Modified
p. 26 → 23
• Alerts are responded to per documented response procedures <Report Findings Here> Identify the personnel interviewed who confirm that:
Modified
p. 26 → 23
• Alerts are responded to per documented response procedures <Report Findings Here>