PCI Watch

Tracking changes across the Payment Card Industry

Document Comparison

PCI-DSS-v4-0-DESV-S-ROC-Template-r1.pdf PCI-DSS-v4-0-1-DESV-S-ROC-Template.pdf
80% similar
39 → 34 Pages
8530 → 7237 Words
69 Content Changes

From Revision History

  • July 2024 For use with PCI DSS v4.0.1 To update the template to align with PCI DSS v4.0.1 and with updated formatting in the ROC Template for v4.0.1.
  • August 2024 © 2006 - 2024 PCI Security Standards Council, LLC. All Rights Reserved. Page 2
  • August 2024 © 2006 - 2024 PCI Security Standards Council, LLC. All Rights Reserved. Page 3
  • August 2024 © 2006 - 2024 PCI Security Standards Council, LLC. All Rights Reserved. Page 4
  • August 2024 © 2006 - 2024 PCI Security Standards Council, LLC. All Rights Reserved. Page 5

Content Changes

69 content changes. 37 administrative changes (dates, page numbers) hidden.

Added p. 3
The Customized Approach is not an option Designated Entities Supplemental Validation and reporting for it is not included in this supplemental ROC template.

DESV Requirement Assessment Finding Select all options that apply. Select Below If Compensating Control Was Used In Place Not Applicable Not in Place Requirement A3.1: ☐ ☐ ☐ ☐ Requirement A3.2: ☐ ☐ ☐ ☐ Requirement A3.3: ☐ ☐ ☐ ☐ Requirement A3.4: ☐ ☐ ☐ ☐ Requirement A3.5: ☐ ☐ ☐ ☐ In the sections below, identify the DESV requirements with the following results and assessment method. If there are none, enter “Not Applicable.” Note: Natural grouping of requirements is allowed (for example, Req. A3.1.1, A3.1.2, A3.1.3, or A3.1.1 through A3.1.4, etc.) to reduce the number of individual requirements listed.
Added p. 5
A3.1.1.c Examine executive management and board of directors Identify the evidence reference number(s) from Section 6 of the ROC
Added p. 30
Identify the evidence reference number(s) from Section 6 of the ROC Template for all interviews conducted for this testing procedure.
Modified p. 1
PCI DSS v4.0 Supplemental Report on Compliance Template Designated Entities Supplemental Validation Revision 1
PCI DSS v4.0.1 Supplemental Report on Compliance Template Designated Entities Supplemental Validation
Modified p. 3
This “Supplemental ROC Template” or “S-ROC” is to be completed according to the same instructions provided in the PCI DSS v4.0 Report on Compliance (ROC) Template. Refer to the PCI DSS v4.0 ROC Template and the PCI DSS v4.x Report on Compliance Template
This “Supplemental ROC Template” or “S-ROC” is to be completed according to the same instructions provided in the PCI DSS v4.0.1 Report on Compliance (ROC) Template. Refer to the PCI DSS v4.0.1 ROC Template and the PCI DSS v4.x Report on Compliance Template
Modified p. 3
The S-ROC template is an addendum to the ROC Template and is not intended to stand alone. Because of this, details related to Scope of Work, Details of Reviewed Environment, Remote Assessment Activities, and so on that are applicable to the environment reviewed for the S-ROC must be included in the applicable sections in the full ROC for that entity. For example, the list of evidence in the full ROC must also include any evidence reviewed during assessment of activities …
The S-ROC template is an addendum to the ROC Template and is not intended to stand alone. Because of this, details related to Scope of Work, Details of Reviewed Environment, Remote Assessment Activities, etc. that are applicable to the environment reviewed for the S-ROC must be included in the applicable sections in the full ROC for that entity. For example, the list of evidence in the full ROC must also include any evidence reviewed during assessment of activities for the …
Removed p. 4
Select If Below Method Was In Place Not Applicable Not in Place Compensating Control Requirement A3.1: ☐ ☐ ☐ ☐ Requirement A3.2: ☐ ☐ ☐ ☐ Requirement A3.3: ☐ ☐ ☐ ☐ Requirement A3.4: ☐ ☐ ☐ ☐ Requirement A3.5: ☐ ☐ ☐ ☐ In the sections below, identify the DESV requirements with the following results and assessment method. If there are none, enter “Not Applicable.” Note: Natural grouping of requirements is allowed (for example, Req. A3.1.1, A3.1.2, A3.1.3, or A3.1.1 through A3.1.4, etc.) to reduce the number of individual requirements listed.
Modified p. 4
Not Applicable Not in Place Due to a Legal Restriction Not in Place Not Due to a Legal Restriction Compensating Control <Enter Response Here> <Enter Response Here> <Enter Response Here> <Enter Response Here>
Not Applicable Not in Place Due to a Legal Restriction Not in Place Not Due to a Legal Restriction Compensating Control
Removed p. 5
<Enter Response Here> 2 Findings and Observations Requirement Description A3.1 A PCI DSS compliance program is implemented.
Modified p. 5
• Providing updates to executive management and board of directors on PCI DSS compliance initiatives and issues, including remediation activities, at least once every 12 months. PCI DSS Reference: Requirement 12 Assessment Findings (select one) In Place Not Applicable Not in Place Describe why the assessment finding was selected. Note: Include all details as noted in the “Required Reporting” column of the table in Assessment Findings in the ROC Template Instructions.
• Providing updates to executive management and board of directors on PCI DSS compliance initiatives and issues, including remediation activities, at least once every 12 months. PCI DSS Reference: Requirement 12 Assessment Findings (select one) Select If a Compensating Control Was Used* In Place Not Applicable Not in Place Describe why the assessment finding was selected. Note: Include all details as noted in the “Required Reporting” column of the table in Assessment Findings in the ROC Template Instructions. *Complete and …
Removed p. 6
<Enter Response Here> A3.1.1.c Examine executive management and board of directors meeting minutes and/or presentations to ensure PCI DSS compliance initiatives and remediation activities are communicated at least once every 12 months.
Modified p. 6 → 5
<Enter Response Here> Testing Procedures Reporting Instructions Reporting Details: Assessor’s Response A3.1.1.a Examine documentation to verify executive management has assigned overall accountability for maintaining the entity’s PCI DSS compliance.
Testing Procedures Reporting Instructions Reporting Details: Assessor’s Response A3.1.1.a Examine documentation to verify executive management has assigned overall accountability for maintaining the entity’s PCI DSS compliance.
Modified p. 6 → 5
<Enter Response Here> A3.1.1.b Examine the company’s PCI DSS charter to verify it outlines the conditions under which the PCI DSS compliance program is organized.
A3.1.1.b Examine the company’s PCI DSS charter to verify it outlines the conditions under which the PCI DSS compliance program is organized.
Modified p. 6
Identify the evidence reference number(s) from Section 6 of the ROC Template for all executive management and board of directors meeting minutes and/or presentations examined for this testing procedure.
Template for all executive management and board of directors meeting minutes and/or presentations examined for this testing procedure.
Modified p. 7
• A process for performing business-impact analysis to determine potential PCI DSS impacts for strategic business decisions. PCI DSS Reference: Requirements 1-12 Assessment Findings (select one) In Place Not Applicable Not in Place Describe why the assessment finding was selected. Note: Include all details as noted in the “Required Reporting” column of the table in Assessment Findings in the ROC Template Instructions.
• A process for performing business-impact analysis to determine potential PCI DSS impacts for strategic business decisions. PCI DSS Reference: Requirements 1-12 Assessment Findings (select one) Select If a Compensating Control Was Used* In Place Not Applicable Not in Place Describe why the assessment finding was selected. Note: Include all details as noted in the “Required Reporting” column of the table in Assessment Findings in the ROC Template Instructions. *Complete and attach Appendix C to support this method.
Removed p. 8
<Enter Response Here> Identify the evidence reference number(s) from Section 6 of the ROC Template for all observation(s) of compliance activities for this testing procedure.
Modified p. 8 → 7
<Enter Response Here> A3.1.2.b Interview personnel and observe compliance activities to verify that a formal PCI DSS compliance program is implemented in accordance with all elements specified in this requirement.
A3.1.2.b Interview personnel and observe compliance activities to verify that a formal PCI DSS compliance program is implemented in Identify the evidence reference number(s) from Section 6 of the ROC Template for all interviews conducted for this testing procedure.
Modified p. 8
Identify the evidence reference number(s) from Section 6 of the ROC Template for all interview(s) conducted for this testing procedure.
Identify the evidence reference number(s) from Section 6 of the ROC Template for all observations of compliance activities for this testing procedure.
Removed p. 9
Validation Method

• Defined Approach Indicate whether a Compensating Control was used: ☐ Yes ☐ No If “Yes”, Identify the aspect(s) of the requirement where the Compensating Control(s) was used. Note: The use of Compensating Controls must also be documented Appendix C of the ROC Template.
Modified p. 9
• Managing business-impact analysis to determine potential PCI DSS impacts for strategic business decisions. PCI DSS Reference: Requirement 12 Assessment Findings (select one) In Place Not Applicable Not in Place Describe why the assessment finding was selected. Note: Include all details as noted in the “Required Reporting” column of the table in Assessment Findings in the ROC Template Instructions.
• Managing business-impact analysis to determine potential PCI DSS impacts for strategic business decisions. PCI DSS Reference: Requirement 12 Assessment Findings (select one) Select If a Compensating Control Was Used* In Place Not Applicable Not in Place Describe why the assessment finding was selected. Note: Include all details as noted in the “Required Reporting” column of the table in Assessment Findings in the ROC Template Instructions. *Complete and attach Appendix C to support this method.
Modified p. 10 → 9
<Enter Response Here> A3.1.3.b Interview responsible personnel and verify they are familiar with and performing their designated PCI DSS compliance responsibilities.
A3.1.3.b Interview responsible personnel and verify they are familiar with and performing their designated PCI DSS compliance responsibilities.
Modified p. 10
PCI DSS Requirement A3.1.4 Up-to-date PCI DSS and/or information security training is provided at least once every 12 months to personnel with PCI DSS compliance responsibilities (as identified in A3.1.3). PCI DSS Reference: Requirement 12 Assessment Findings (select one) In Place Not Applicable Not in Place Describe why the assessment finding was selected. Note: Include all details as noted in the “Required Reporting” column of the table in Assessment Findings in the ROC Template Instructions.
PCI DSS Requirement A3.1.4 Up-to-date PCI DSS and/or information security training is provided at least once every 12 months to personnel with PCI DSS compliance responsibilities (as identified in A3.1.3). PCI DSS Reference: Requirement 12 Assessment Findings (select one) Select If a Compensating Control Was Used* In Place Not Applicable Not in Place Describe why the assessment finding was selected. Note: Include all details as noted in the “Required Reporting” column of the table in Assessment Findings in the ROC …
Modified p. 11 → 10
<Enter Response Here> Testing Procedures Reporting Instructions Reporting Details: Assessor’s Response A3.1.4.a Examine information security policies and procedures to verify that PCI DSS and/or information security training is required at least once every 12 months for each role with PCI DSS compliance responsibilities.
Testing Procedures Reporting Instructions Reporting Details: Assessor’s Response A3.1.4.a Examine information security policies and procedures to verify that PCI DSS and/or information security training is required at least once every 12 months for each role with PCI DSS compliance responsibilities.
Modified p. 11 → 10
<Enter Response Here> A3.1.4.b Interview personnel and examine certificates of attendance or other records to verify that personnel with PCI DSS compliance responsibility receive up-to-date PCI DSS and/or similar information security training at least once every 12 months.
A3.1.4.b Interview personnel and examine certificates of attendance or other records to verify that personnel with PCI DSS compliance responsibility receive up-to-date PCI DSS and/or similar information security training at least once every 12 months.
Modified p. 11 → 10
<Enter Response Here> Identify the evidence reference number(s) from Section 6 of the ROC Template for all certificates of attendance or other records examined for this testing procedure.
Identify the evidence reference number(s) from Section 6 of the ROC Template for all certificates of attendance or other records examined for this testing procedure.
Modified p. 13 → 12
• After significant changes to the in- scope environment.
• After significant changes to the in-scope environment.
Modified p. 13 → 12
<Enter Response Here> A3.2.1.b Examine documented results of scope reviews occurring at least once every three months to verify that scoping validation includes all elements specified in this requirement.
A3.2.1.b Examine documented results of scope reviews occurring at least once every three months to verify that scoping validation includes all elements specified in this requirement.
Modified p. 14 → 13
• Documented sign-off of the results of the impact assessment by responsible personnel (as defined in A3.1.3). PCI DSS Reference: Scope of PCI DSS Requirements; Requirements 1-12 Assessment Findings (select one) In Place Not Applicable Not in Place Describe why the assessment finding was selected. Note: Include all details as noted in the “Required Reporting” column of the table in Assessment Findings in the ROC Template Instructions.
• Documented sign-off of the results of the impact assessment by responsible personnel (as defined in A3.1.3). PCI DSS Reference: Scope of PCI DSS Requirements; Requirements 1-12 Assessment Findings (select one) Select If a Compensating Control Was Used* In Place Not Applicable Not in Place Describe why the assessment finding was selected. Note: Include all details as noted in the “Required Reporting” column of the table in Assessment Findings in the ROC Template Instructions. *Complete and attach Appendix C to …
Removed p. 15
Validation Method

• Defined Approach Indicate whether a Compensating Control was used: ☐ Yes ☐ No
Modified p. 15 → 14
PCI DSS Requirement A3.2.2.1 Upon completion of a change, all relevant PCI DSS requirements are confirmed to be implemented on all new or changed systems and networks, and documentation is updated as applicable. PCI DSS Reference: Scope of PCI DSS Requirements; Requirement 1-12 Assessment Findings (select one) In Place Not Applicable Not in Place Describe why the assessment finding was selected. Note: Include all details as noted in the “Required Reporting” column of the table in Assessment Findings in the …
PCI DSS Requirement A3.2.2.1 Upon completion of a change, all relevant PCI DSS requirements are confirmed to be implemented on all new or changed systems and networks, and documentation is updated as applicable. PCI DSS Reference: Scope of PCI DSS Requirements; Requirement 1-12 Assessment Findings (select one) Select If a Compensating Control Was Used* In Place Not Applicable Not in Place Describe why the assessment finding was selected. Note: Include all details as noted in the “Required Reporting” column of …
Modified p. 16 → 14
<Enter Response Here> Testing Procedures Reporting Instructions Reporting Details: Assessor’s Response A3.2.2.1 Examine change records and the affected systems/networks, and interview personnel to verify that all relevant PCI DSS requirements were confirmed to be implemented and documentation updated as part of the change.
Testing Procedures Reporting Instructions Reporting Details: Assessor’s Response A3.2.2.1 Examine change records and the affected systems/networks, and interview personnel to verify that all relevant PCI DSS requirements were confirmed to be implemented and documentation updated as part of the change.
Modified p. 16 → 14
<Enter Response Here> Identify the evidence reference number(s) from Section 6 of the ROC Template for all affected systems/networks examined for this testing procedure.
Identify the evidence reference number(s) from Section 6 of the ROC Template for all affected systems/networks examined for this testing procedure.
Modified p. 17 → 15
PCI DSS Requirement A3.2.3 Changes to organizational structure result in a formal (internal) review of the impact to PCI DSS scope and applicability of controls. PCI DSS Reference: Requirement 12 Assessment Findings (select one) In Place Not Applicable Not in Place Describe why the assessment finding was selected. Note: Include all details as noted in the “Required Reporting” column of the table in Assessment Findings in the ROC Template Instructions.
PCI DSS Requirement A3.2.3 Changes to organizational structure result in a formal (internal) review of the impact to PCI DSS scope and applicability of controls. PCI DSS Reference: Requirement 12 Assessment Findings (select one) Select If a Compensating Control Was Used* In Place Not Applicable Not in Place Describe why the assessment finding was selected. Note: Include all details as noted in the “Required Reporting” column of the table in Assessment Findings in the ROC Template Instructions. *Complete and attach …
Modified p. 17 → 15
<Enter Response Here> Testing Procedures Reporting Instructions Reporting Details: Assessor’s Response A3.2.3 Examine policies and procedures to verify that a change to organizational structure results in formal a review of the impact on PCI DSS scope and applicability of controls.
Testing Procedures Reporting Instructions Reporting Details: Assessor’s Response A3.2.3 Examine policies and procedures to verify that a change to organizational structure results in formal a review of the impact on PCI DSS scope and applicability of controls.
Modified p. 18 → 16
• The penetration testing verifies that segmentation controls/methods are operational and effective, and isolate the CDE from all out-of-scope systems. PCI DSS Reference: Requirement 11 Assessment Findings (select one) In Place Not Applicable Not in Place Describe why the assessment finding was selected. Note: Include all details as noted in the “Required Reporting” column of the table in Assessment Findings in the ROC Template Instructions.
• The penetration testing verifies that segmentation controls/methods are operational and effective, and isolate the CDE from all out-of-scope systems. PCI DSS Reference: Requirement 11 Assessment Findings (select one) Select If a Compensating Control Was Used* In Place Not Applicable Not in Place Describe why the assessment finding was selected. Note: Include all details as noted in the “Required Reporting” column of the table in Assessment Findings in the ROC Template Instructions. *Complete and attach Appendix C to support this …
Modified p. 19 → 17
• Addresses the potential for cleartext PAN to reside on systems and networks outside the currently defined CDE. PCI DSS Reference: Scope of PCI DSS Requirements Assessment Findings (select one) In Place Not Applicable Not in Place Describe why the assessment finding was selected. Note: Include all details as noted in the “Required Reporting” column of the table in Assessment Findings in the ROC Template Instructions.
• Addresses the potential for cleartext PAN to reside on systems and networks outside the currently defined CDE. PCI DSS Reference: Scope of PCI DSS Requirements Assessment Findings (select one) Select If a Compensating Control Was Used* In Place Not Applicable Not in Place Describe why the assessment finding was selected. Note: Include all details as noted in the “Required Reporting” column of the table in Assessment Findings in the ROC Template Instructions. *Complete and attach Appendix C to support …
Modified p. 20 → 17
<Enter Response Here> Testing Procedures Reporting Instructions Reporting Details: Assessor’s Response A3.2.5.a Examine the documented data-discovery methodology to verify it includes all elements specified in this requirement.
Testing Procedures Reporting Instructions Reporting Details: Assessor’s Response A3.2.5.a Examine the documented data-discovery methodology to verify it includes all elements specified in this requirement.
Modified p. 20 → 17
<Enter Response Here> A3.2.5.b Examine results from recent data discovery efforts, and interview responsible personnel to verify that data discovery is performed at least once every three months and upon significant changes to the CDE or processes.
A3.2.5.b Examine results from recent data discovery efforts, and interview responsible personnel to verify that data discovery is performed at least once every three months and upon significant changes to the CDE or processes.
Modified p. 21 → 18
• The effectiveness of data-discovery methods is confirmed at least once every 12 months. PCI DSS Reference: Scope of PCI DSS Requirements Assessment Findings (select one) In Place Not Applicable Not in Place Describe why the assessment finding was selected. Note: Include all details as noted in the “Required Reporting” column of the table in Assessment Findings in the ROC Template Instructions.
• The effectiveness of data-discovery methods is confirmed at least once every 12 months. PCI DSS Reference: Scope of PCI DSS Requirements Assessment Findings (select one) Select If a Compensating Control Was Used* In Place Not Applicable Not in Place Describe why the assessment finding was selected. Note: Include all details as noted in the “Required Reporting” column of the table in Assessment Findings in the ROC Template Instructions. *Complete and attach Appendix C to support this method.
Modified p. 22 → 18
<Enter Response Here> Identify the evidence reference number(s) from Section 6 of the ROC Template for all documentation examined for this testing procedure.
Identify the evidence reference number(s) from Section 6 of the ROC Template for all documentation examined for this testing procedure.
Modified p. 22 → 18
<Enter Response Here> A3.2.5.1.b Examine the results of effectiveness tests to verify that the effectiveness of data-discovery methods is confirmed at least once every 12 months.
A3.2.5.1.b Examine the results of effectiveness tests to verify that the effectiveness of data-discovery methods is confirmed at least once every 12 months.
Removed p. 24
<Enter Response Here> Identify the evidence reference number(s) from Section 6 of the ROC Template for all records of response actions examined for this testing procedure.
Modified p. 24 → 19
<Enter Response Here> A3.2.5.2.b Interview personnel and examine records of response actions to verify that remediation activities are performed when cleartext PAN is detected outside the CDE.
A3.2.5.2.b Interview personnel and examine records of response actions to verify that remediation activities are performed when cleartext PAN is detected outside the CDE.
Modified p. 24 → 21
• Generating audit logs and alerts upon detection of cleartext PAN leaving the CDE via an unauthorized channel, method, or process. PCI DSS Reference: Scope of PCI DSS Requirements, Requirement 12 Assessment Findings (select one) In Place Not Applicable Not in Place Describe why the assessment finding was selected. Note: Include all details as noted in the “Required Reporting” column of the table in Assessment Findings in the ROC Template Instructions.
• Generating audit logs and alerts upon detection of cleartext PAN leaving the CDE via an unauthorized channel, method, or process. PCI DSS Reference: Scope of PCI DSS Requirements, Requirement 12 Assessment Findings (select one) Select If a Compensating Control Was Used* In Place Not Applicable Not in Place Describe why the assessment finding was selected. Note: Include all details as noted in the “Required Reporting” column of the table in Assessment Findings in the ROC Template Instructions. *Complete and …
Removed p. 25
<Enter Response Here> Identify the evidence reference number(s) from Section 6 of the ROC Template for all interview(s) conducted for this testing procedure.
Modified p. 25 → 21
<Enter Response Here> Testing Procedures Reporting Instructions Reporting Details: Assessor’s Response A3.2.6.a Examine documentation and observe implemented mechanisms to verify that the mechanisms are in accordance with all elements specified in this requirement.
Testing Procedures Reporting Instructions Reporting Details: Assessor’s Response A3.2.6.a Examine documentation and observe implemented mechanisms to verify that the mechanisms are in accordance with all elements specified in this requirement.
Modified p. 25 → 21
<Enter Response Here> Identify the evidence reference number(s) from Section 6 of the ROC Template for all observation(s) of the implemented mechanisms for this testing procedure.
Identify the evidence reference number(s) from Section 6 of the ROC Template for all observations of the implemented mechanisms for this testing procedure.
Modified p. 25 → 21
<Enter Response Here> A3.2.6.b Examine audit logs and alerts, and interview responsible personnel to verify that alerts are investigated.
A3.2.6.b Examine audit logs and alerts, and interview responsible personnel to verify that alerts are investigated.
Modified p. 26 → 23
• Procedures for remediating data leaks or process gaps, as necessary, to prevent any data loss. PCI DSS Reference: Requirement 12 Assessment Findings (select one) In Place Not Applicable Not in Place Describe why the assessment finding was selected. Note: Include all details as noted in the “Required Reporting” column of the table in Assessment Findings in the ROC Template Instructions.
• Procedures for remediating data leaks or process gaps, as necessary, to prevent any data loss. PCI DSS Reference: Requirement 12 Assessment Findings (select one) Select If a Compensating Control Was Used* In Place Not Applicable Not in Place Describe why the assessment finding was selected. Note: Include all details as noted in the “Required Reporting” column of the table in Assessment Findings in the ROC Template Instructions. *Complete and attach Appendix C to support this method.
Removed p. 27
<Enter Response Here> Identify the evidence reference number(s) from Section 6 of the ROC Template for all records of actions taken examined for this testing procedure.
Modified p. 27 → 23
<Enter Response Here> A3.2.6.1.b Interview personnel and examine records of actions taken when cleartext PAN is detected leaving the CDE via an unauthorized channel, method, or process and verify that remediation activities were performed.
A3.2.6.1.b Interview personnel and examine records of actions taken when cleartext PAN is detected leaving the CDE via an unauthorized channel, method, or process and Identify the evidence reference number(s) from Section 6 of the ROC Template for all interviews conducted for this testing procedure.
Modified p. 27 → 24
Identify the evidence reference number(s) from Section 6 of the ROC Template for all interview(s) conducted for this testing procedure.
Identify the evidence reference number(s) from Section 6 of the ROC Template for all records of actions taken examined for this testing procedure.
Modified p. 28 → 25
• Automated code review tools (if used). This bullet is a best practice until 31 March 2025, after which they will be required as part of Requirement A3.3.1 and must be fully considered during a PCI DSS assessment. PCI DSS Reference: Requirements 1-12 Assessment Findings (select one) In Place Not Applicable Not in Place Describe why the assessment finding was selected. Note: Include all details as noted in the “Required Reporting” column of the table in Assessment Findings in the …
• Automated code review tools (if used). This bullet is a best practice until 31 March 2025, after which they will be required as part of Requirement A3.3.1 and must be fully considered during a PCI DSS assessment. PCI DSS Reference: Requirements 1-12 Assessment Findings (select one) Select If a Compensating Control Was Used* In Place Not Applicable Not in Place Describe why the assessment finding was selected. Note: Include all details as noted in the “Required Reporting” column of …
Modified p. 29 → 26
<Enter Response Here> A3.3.1.b Examine detection and alerting processes, and interview personnel to verify that processes are implemented for all critical security controls specified in this requirement and that each failure of a critical security control results in the generation of an alert.
A3.3.1.b Examine detection and alerting processes, and interview personnel to verify that processes are implemented for all critical security controls specified in this requirement and that each failure of a critical security control results in the generation of an alert.
Modified p. 30 → 27
PCI DSS Requirement A3.3.1.2 Failures of any critical security control systems are responded to promptly. Processes for responding to failures in security control systems include:
PCI DSS Requirement A3.3.1.1 Failures of any critical security control systems are responded to promptly. Processes for responding to failures in security control systems include:
Modified p. 30 → 27
• Resuming monitoring of security controls. PCI DSS Reference: Requirements 1-12 Assessment Findings (select one) In Place Not Applicable Not in Place Describe why the assessment finding was selected. Note: Include all details as noted in the “Required Reporting” column of the table in Assessment Findings in the ROC Template Instructions.
• Resuming monitoring of security controls. PCI DSS Reference: Requirements 1-12 Assessment Findings (select one) Select If a Compensating Control Was Used* In Place Not Applicable Not in Place Describe why the assessment finding was selected. Note: Include all details as noted in the “Required Reporting” column of the table in Assessment Findings in the ROC Template Instructions. *Complete and attach Appendix C to support this method.
Modified p. 33 → 29
<Enter Response Here> A3.3.2.b Review the results of the recent reviews of hardware and software technologies to verify reviews are performed at least once every 12 months.
A3.3.2.b Review the results of the recent reviews of hardware and software technologies to verify reviews are performed at least once every 12 months.
Modified p. 33 → 29
<Enter Response Here> A3.3.2.c Review documentation to verify that, for any technologies that have been determined to no longer meet the organization’s PCI DSS requirements, a plan is in place to remediate the technology.
A3.3.2.c Review documentation to verify that, for any technologies that have been determined to no longer meet the organization’s PCI DSS requirements, a plan is in place to remediate the technology.
Modified p. 34 → 30
• Retention of records and documentation for at least 12 months, covering all BAU activities. PCI DSS Reference: Requirements 1-12 Assessment Findings (select one) In Place Not Applicable Not in Place Describe why the assessment finding was selected. Note: Include all details as noted in the “Required Reporting” column of the table in Assessment Findings in the ROC Template Instructions.
• Retention of records and documentation for at least 12 months, covering all BAU activities. PCI DSS Reference: Requirements 1-12 Assessment Findings (select one) Select If a Compensating Control Was Used* In Place Not Applicable Not in Place Describe why the assessment finding was selected. Note: Include all details as noted in the “Required Reporting” column of the table in Assessment Findings in the ROC Template Instructions. *Complete and attach Appendix C to support this method.
Removed p. 35
Validation Method

• Defined Approach Indicate whether a Compensating Control was used: ☐ Yes ☐ No If “Yes”, Identify the aspect(s) of the requirement where the Compensating Control(s) was used. Note: The use of Compensating Controls must also be documented Appendix C of the ROC Template.

<Enter Response Here> Identify the evidence reference number(s) from Section 6 of the ROC Template for all records of reviews examined for this testing procedure.
Modified p. 35 → 30
<Enter Response Here> Testing Procedures Reporting Instructions Reporting Details: Assessor’s Response A3.3.3.a Examine policies and procedures to verify that processes are defined for reviewing and verifying BAU activities in accordance with all elements specified in this requirement.
Testing Procedures Reporting Instructions Reporting Details: Assessor’s Response A3.3.3.a Examine policies and procedures to verify that processes are defined for reviewing and verifying BAU activities in accordance with all elements specified in this requirement.
Modified p. 35 → 30
<Enter Response Here> A3.3.3.b Interview responsible personnel and examine records of reviews to verify that:
A3.3.3.b Interview responsible personnel and examine records of reviews to verify that:
Modified p. 35 → 31
Identify the evidence reference number(s) from Section 6 of the ROC Template for all interview(s) conducted for this testing procedure.
Identify the evidence reference number(s) from Section 6 of the ROC Template for all records of reviews examined for this testing procedure.
Modified p. 36 → 32
PCI DSS Requirement A3.4.1 User accounts and access privileges to in-scope system components are reviewed at least once every six months to ensure user accounts and access privileges remain appropriate based on job function, and that all access is authorized. PCI DSS Reference: Requirement 7 Assessment Findings (select one) In Place Not Applicable Not in Place Describe why the assessment finding was selected. Note: Include all details as noted in the “Required Reporting” column of the table in Assessment Findings …
PCI DSS Requirement A3.4.1 User accounts and access privileges to in-scope system components are reviewed at least once every six months to ensure user accounts and access privileges remain appropriate based on job function, and that all access is authorized. PCI DSS Reference: Requirement 7 Assessment Findings (select one) Select If a Compensating Control Was Used* In Place Not Applicable Not in Place Describe why the assessment finding was selected. Note: Include all details as noted in the “Required Reporting” …
Modified p. 37 → 32
<Enter Response Here> Identify the evidence reference number(s) from Section 6 of the ROC Template for all documentation examined for this testing procedure.
Identify the evidence reference number(s) from Section 6 of the ROC Template for all documentation examined for this testing procedure.
Modified p. 38 → 33
• Response to alerts in accordance with documented response procedures. PCI DSS Reference: Requirements 10, 12 Assessment Findings (select one) In Place Not Applicable Not in Place Describe why the assessment finding was selected. Note: Include all details as noted in the “Required Reporting” column of the table in Assessment Findings in the ROC Template Instructions.
• Response to alerts in accordance with documented response procedures. PCI DSS Reference: Requirements 10, 12 Assessment Findings (select one) Select If a Compensating Control Was Used* In Place Not Applicable Not in Place Describe why the assessment finding was selected. Note: Include all details as noted in the “Required Reporting” column of the table in Assessment Findings in the ROC Template Instructions. *Complete and attach Appendix C to support this method.
Removed p. 39
<Enter Response Here> Identify the evidence reference number(s) from Section 6 of the ROC Template for all interview(s) conducted for this testing procedure.
Modified p. 39 → 33
<Enter Response Here> A3.5.1.b Examine incident response procedures and interview responsible personnel to verify that:
A3.5.1.b Examine incident response procedures and interview responsible personnel to verify that:
Modified p. 39 → 34
Identify the evidence reference number(s) from Section 6 of the ROC Template for all incident response procedures examined for this testing procedure.
Identify the evidence reference number(s) from Section 6 of the ROC Template for all interviews conducted for this testing procedure.