Document Diff - PCI Watch

Added p. 2

Payment Brand Identification Code:

Added p. 4

Start date: YYYY-MM-DD Completion date: YYYY-MM-DD

Added p. 8

If my environment changes, I recognize I must reassess my environment and implement any additional PCI Card Production and Provisioning Physical Security Requirements that apply.

Modified p. 2

Section 1: Assessment Information Instructions for Submission This Attestation of Compliance must be completed as a declaration of the results of the card vendor’s assessment with the Payment Card Industry Card Production and Provisioning Physical Security Requirements (PCI CPPPSR)

• Appendix C: Security Operations Center. ~~Complete all sections:~~ The ~~card vendor~~ is responsible for ensuring that each section is completed by the relevant parties, as applicable. Contact the requesting payment brand for reporting and submission procedures.

Section 1: Assessment Information Instructions for Submission This Attestation of Compliance must be completed by the assessor as a declaration of the results of the card vendor’s assessment with the Payment Card Industry Card Production and Provisioning Physical Security Requirements (PCI CPPPSR)

• Appendix C: Security Operations Center. All sections must be completed. The assessor is responsible for ensuring that each section is completed by the relevant parties, as applicable. Contact the requesting payment brand for reporting and submission procedures.

Modified p. 2

Part 1b. Card Production Security Assessor Company Information ~~(if applicable)~~ Company Name:

Part 1b. Card Production Security Assessor Company Information Company Name:

Removed p. 4

Start date (yyyy/mm/dd):

Completion date (yyyy/mm/dd):

Modified p. 4

• Date of ~~Report (yyyy/mm/dd):~~

• Date of Report: YYYY-MM-DD

Modified p. 4

Start ~~date (yyyy/mm/dd):~~ Completion ~~date (yyyy/mm/dd):~~

Start date: YYYY-MM-DD Completion date: YYYY-MM-DD

Modified p. 4

• If ~~remote,~~ state the ~~rational:~~

• If remotely, state the rationale:

Modified p. 5

• Details of specific sub-requirements that were marked as “Not Applicable” in the ~~ROC~~

• Details of specific sub-requirements that were marked as “Not Applicable” in the ROC.

Modified p. 5

PCI Card Production and Provisioning − Security Operations Details of Requirements Assessed Full Partial None Justification for Approach (Required for all “Partial” and “None” responses. Identify which ~~sub- requirements~~ were not applicable and the reason.)

PCI Card Production and Provisioning − Security Operations Details of Requirements Assessed Full Partial None Justification for Approach (Required for all “Partial” and “None” responses. Identify which sub-requirements were not applicable and the reason.)

Modified p. 6

The assessment documented in this attestation and in the ROC was completed on:

The assessment documented in this attestation and in the ROC was completed on: YYYY-MM-DD Were any requirements in the ROC identified as being not applicable (N/A)? Yes No Were any requirements not tested? Yes No Were any requirements in the ROC unable to be met due to a legal constraint? Yes No

Removed p. 7

I have read the PCI Card Production and Provisioning Security Operations Center Security Requirements and I recognize that I must maintain PCI Card Production Security Requirements compliance, as applicable to my environment, at all times.

If my environment changes, I recognize I must reassess my environment and implement any additional PCI Card Production and Provisioning Security Operations Center Security Requirements that apply.

Modified p. 7

Section 3: Validation and Attestation Details Part 3. PCI Card Production and Provisioning Physical Security Validation Based on the results noted in the ROC dated (completion date), the signatories identified in Parts ~~3b-3c,~~ as applicable, assert(s) the following compliance status for the entity identified in Part 2 of this document as of (date): (check one):

Section 3: Validation and Attestation Details Part 3. PCI Card Production and Provisioning Physical Security Validation Based on the results noted in the ROC dated (completion date), the signatories identified in Parts 3a-3b, as applicable, assert(s) the following compliance status for the entity identified in Part 2 of this document as of (date): (check one):

Modified p. 7

Non-Compliant: Not all sections of the PCI Card Production and Provisioning Security Operations Center ROC are complete, or not all questions are answered affirmatively, resulting in an overall ~~NON- COMPLIANT~~ rating, thereby (Card Production and Provisioning Vendor Company Name) has not demonstrated full compliance with the PCI Card Production and Provisioning Security Operations Center Security Requirements.

Non-Compliant: Not all sections of the PCI Card Production and Provisioning Security Operations Center ROC are complete, or not all questions are answered affirmatively, resulting in an overall NON-COMPLIANT rating, thereby (Card Production and Provisioning Vendor Company Name) has not demonstrated full compliance with the PCI Card Production and Provisioning Security Operations Center Security Requirements.

Modified p. 7

An entity submitting this form with a status of Non-Compliant may be required to complete the Action Plan in Part 4 of this document. Check with the payment brand(s) before completing Part 4.

Target Date for Compliance: YYYY-MM-DD An entity submitting this form with a status of Non-Compliant may be required to complete the Action Plan in Part 4 of this document. Check with the payment brand(s) before completing Part 4.

Modified p. 7

Compliant but with ~~Legal~~ exception: One or more requirements are marked Non-Compliant as “Open” or “New” due to a legal restriction that prevents the requirement from being met. This option requires additional review from the payment brand.

Compliant but with legal exception: One or more requirements are marked Non-Compliant as “Open” or “New” due to a legal restriction that prevents the requirement from being met. This option requires additional review from the payment brand.

Modified p. 7

Affected Requirement Details of how legal constraint prevents requirement ~~being met Part 3a. Acknowledgement of Status Signatory(s) confirms:~~

Affected Requirement Details of how legal constraint prevents requirement from

Modified p. 7 → 8

~~(Check all that apply)~~ The ROC was completed according to the PCI Card Production and Provisioning Security ~~Operations Center Security Requirements~~ Version (version number), and was completed according to the instructions therein.

Date: YYYY-MM-DD Part 3b. Security Assessor Attestation The ROC was completed according to the PCI Card Production and Provisioning Physical Security Requirements, Version (version number), and was completed according to the instructions therein.

Removed p. 8

Part 3c. Security Assessor Acknowledgement (if applicable) If a Security Assessor was involved or assisted with this assessment, describe the role performed:

Modified p. 8

Signature of Assessor  Date:

Signature of Assessor  Date: YYYY-MM-DD Assessor Name: Assessor Company:

Modified p. 9

Security Operations Center Section Description of Requirement Compliant to PCI Card ~~Vendor~~ Security Requirements (Select One) Remediation Date and Actions (If “NO” selected for any ~~Requirement)~~ C.1 General Requirements C.2 Physical Construction C.3 Security Management System C.4 SOC Personnel C.5 Data Security C.6 Software Design and Development C.7 User Management and System Access Control C.8 Continuity of Service

Security Operations Center Section Description of Requirement Compliant to PCI Card Production and Provisioning Security Requirements (Select One) Remediation Date and Actions (If “NO” selected for any requirement) C.1 General Requirements C.2 Physical Construction C.3 Security Management System C.4 SOC Personnel C.5 Data Security C.6 Software Design and Development C.7 User Management and System Access Control C.8 Continuity of Service

Document Comparison

Content Changes