Document Comparison
PCI_CP_ROC_v3.02_Reporting_Template_SOC.pdf
→
PCI_Card_Production_Physical_AOC_v3.0.2-SOC.pdf
1% similar
100 → 9
Pages
27243 → 1594
Words
26
Content Changes
Content Changes
26 content changes. 22 administrative changes (dates, page numbers) hidden.
Added
p. 2
Section 1: Assessment Information Instructions for Submission This Attestation of Compliance must be completed as a declaration of the results of the card vendor’s assessment with the Payment Card Industry Card Production and Provisioning Physical Security Requirements (PCI CPPPSR)
• Appendix C: Security Operations Center. Complete all sections: The card vendor is responsible for ensuring that each section is completed by the relevant parties, as applicable. Contact the requesting payment brand for reporting and submission procedures.
Part 1. Card Vendor and Card Production Security Assessor
• Security Operations Center Controls (CPSA-S) Information Part 1a. Card Production and Provisioning Organization Information Company Name:
DBA (doing business as):
Part 1b. Card Production Security Assessor Company Information (if applicable) Company Name:
Lead Assessor Contact Name:
• Appendix C: Security Operations Center. Complete all sections: The card vendor is responsible for ensuring that each section is completed by the relevant parties, as applicable. Contact the requesting payment brand for reporting and submission procedures.
Part 1. Card Vendor and Card Production Security Assessor
• Security Operations Center Controls (CPSA-S) Information Part 1a. Card Production and Provisioning Organization Information Company Name:
DBA (doing business as):
Part 1b. Card Production Security Assessor Company Information (if applicable) Company Name:
Lead Assessor Contact Name:
Added
p. 5
• The requirement and all sub-requirements of that requirement were assessed, and no sub- requirements were marked as “Not Applicable” in the ROC.
• One or more sub-requirements of that requirement were marked as “Not Applicable” in the ROC.
• All sub-requirements of that requirement were marked as “Not Applicable” in the ROC.
Note: Payment brand waivers do not constitute full compliance.
For all requirements identified as either “Partial” or “None,” provide details in the “Justification for Approach” column, including:
• Details of specific sub-requirements that were marked as “Not Applicable” in the ROC
• Reason why sub-requirement(s) were not applicable.
Note: One table to be completed for each service covered by this AOC. Additional copies of this section are available on the PCI SSC website.
PCI Card Production and Provisioning − Security Operations Details of Requirements Assessed Full Partial None Justification for Approach (Required for all “Partial” and “None” responses. Identify which sub- requirements were not applicable …
• One or more sub-requirements of that requirement were marked as “Not Applicable” in the ROC.
• All sub-requirements of that requirement were marked as “Not Applicable” in the ROC.
Note: Payment brand waivers do not constitute full compliance.
For all requirements identified as either “Partial” or “None,” provide details in the “Justification for Approach” column, including:
• Details of specific sub-requirements that were marked as “Not Applicable” in the ROC
• Reason why sub-requirement(s) were not applicable.
Note: One table to be completed for each service covered by this AOC. Additional copies of this section are available on the PCI SSC website.
PCI Card Production and Provisioning − Security Operations Details of Requirements Assessed Full Partial None Justification for Approach (Required for all “Partial” and “None” responses. Identify which sub- requirements were not applicable …
Added
p. 8
Part 3c. Security Assessor Acknowledgement (if applicable) If a Security Assessor was involved or assisted with this assessment, describe the role performed:
Signature of Assessor Date:
Assessor Name: Assessor Company:
Signature of Assessor Date:
Assessor Name: Assessor Company:
Added
p. 9
Check with the applicable payment brand(s) before completing Part 4.
Security Operations Center Section Description of Requirement Compliant to PCI Card Vendor Security Requirements (Select One) Remediation Date and Actions (If “NO” selected for any Requirement) C.1 General Requirements C.2 Physical Construction C.3 Security Management System C.4 SOC Personnel C.5 Data Security C.6 Software Design and Development C.7 User Management and System Access Control C.8 Continuity of Service
Security Operations Center Section Description of Requirement Compliant to PCI Card Vendor Security Requirements (Select One) Remediation Date and Actions (If “NO” selected for any Requirement) C.1 General Requirements C.2 Physical Construction C.3 Security Management System C.4 SOC Personnel C.5 Data Security C.6 Software Design and Development C.7 User Management and System Access Control C.8 Continuity of Service
Removed
p. 2
July 2015 1.0 Initial version
December 2015 1.0a Minor errata
June 2016 1.0b Expanded sections 2.2, 3.2 and 3.3
April 2017 2.0 Updated for changes incorporated into v2 of the Security Requirements, including Mobile Provisioning.
December 2017 2.1 Updated with addition of Test Procedures
June 2022 3.0 Updated for release of new Requirements
September 2022 3.0.1 Minor errata
November 2023 3.0.2 Minor errata
December 2015 1.0a Minor errata
June 2016 1.0b Expanded sections 2.2, 3.2 and 3.3
April 2017 2.0 Updated for changes incorporated into v2 of the Security Requirements, including Mobile Provisioning.
December 2017 2.1 Updated with addition of Test Procedures
June 2022 3.0 Updated for release of new Requirements
September 2022 3.0.1 Minor errata
November 2023 3.0.2 Minor errata
Removed
p. 4
• It serves as a declaration of the results of the card vendor’s assessment of compliance with the PCI Card Production and Provisioning Physical Security Requirements
• Security Operations Center v3.0.1
• It provides reporting instructions and the template for assessors to use. This can help provide reasonable assurance that a consistent level of reporting is present among assessors.
Use of this reporting template is subject to payment brand stipulations for all Card Production and Provisioning v3.0.1 submissions.
Tables have been included in this template to facilitate the reporting process for certain lists and other information as appropriate. Additional appendices may be added if the assessor feels there is relevant information to be included that is not addressed in the current format. However, the assessor must not remove any details from the tables provided in this document.
Do not delete any content from any place in this document, including this section and the versioning above. …
• Security Operations Center v3.0.1
• It provides reporting instructions and the template for assessors to use. This can help provide reasonable assurance that a consistent level of reporting is present among assessors.
Use of this reporting template is subject to payment brand stipulations for all Card Production and Provisioning v3.0.1 submissions.
Tables have been included in this template to facilitate the reporting process for certain lists and other information as appropriate. Additional appendices may be added if the assessor feels there is relevant information to be included that is not addressed in the current format. However, the assessor must not remove any details from the tables provided in this document.
Do not delete any content from any place in this document, including this section and the versioning above. …
Removed
p. 5
1. Section 1: Contact Information and Report Date
2. Section 2: Summary of Non-Compliance Findings
3. Section 3: Inspection Overview
4. Section 4: Findings and Observations
Note: Sections 1 through 4 must be thoroughly and accurately completed, in order for the assessment findings in Section 5 to have the proper context. The reporting template includes tables with reporting instructions built-in to help assessors provide all required information throughout the document. Responses should be specific but efficient. Information provided should focus on concise quality of detail, rather than lengthy, repeated verbiage. Parroting the testing procedure within a description is discouraged, as it does not add any level of assurance to the narrative. Use of template language for summaries and descriptions is discouraged and details should be specifically relevant to the assessed entity.
ROC Vendor Self-Evaluation The card vendor is asked to complete the card vendor self-evaluation in Section 5: Findings and Observations, for all requirements.
• Only …
2. Section 2: Summary of Non-Compliance Findings
3. Section 3: Inspection Overview
4. Section 4: Findings and Observations
Note: Sections 1 through 4 must be thoroughly and accurately completed, in order for the assessment findings in Section 5 to have the proper context. The reporting template includes tables with reporting instructions built-in to help assessors provide all required information throughout the document. Responses should be specific but efficient. Information provided should focus on concise quality of detail, rather than lengthy, repeated verbiage. Parroting the testing procedure within a description is discouraged, as it does not add any level of assurance to the narrative. Use of template language for summaries and descriptions is discouraged and details should be specifically relevant to the assessed entity.
ROC Vendor Self-Evaluation The card vendor is asked to complete the card vendor self-evaluation in Section 5: Findings and Observations, for all requirements.
• Only …
Removed
p. 6
The following table is a helpful representation when considering which selection to make and when to add comments. Remember, only one “Result” response may be selected at the sub-requirement level, and reporting of that should be consistent with other required documents.
Response When to use this response:
Yes Indicates the vendor is in compliance with this requirement New Indicates that this is a new non-compliance finding identified by the assessor for the first time.
Indicates that this item was previously reported as a non-compliance finding and action (if any) taken by the vendor does not resolve the original condition. The "Non-Compliance Description" column must explicitly state when this finding was first reported, the non-compliance condition observed, and the action (or lack thereof) taken by the vendor to resolve the finding. Findings for which the vendor has taken corrective action that resolved the original finding but introduced new non-compliance condition are reported as new …
Response When to use this response:
Yes Indicates the vendor is in compliance with this requirement New Indicates that this is a new non-compliance finding identified by the assessor for the first time.
Indicates that this item was previously reported as a non-compliance finding and action (if any) taken by the vendor does not resolve the original condition. The "Non-Compliance Description" column must explicitly state when this finding was first reported, the non-compliance condition observed, and the action (or lack thereof) taken by the vendor to resolve the finding. Findings for which the vendor has taken corrective action that resolved the original finding but introduced new non-compliance condition are reported as new …
Removed
p. 7
Do’s and Don’ts: Reporting Expectations DO: DON’T:
• Use this Reporting Template when assessing against v3.0 of the Card Production and Provisioning Security Requirements.
• Complete all sections in the order specified.
• Read and understand the intent of each requirement and testing procedure.
• Provide a response for every security requirement.
• Provide sufficient detail and information to support the designated finding, but be concise.
• Describe how a Requirement was verified per the Reporting Instruction, not just that it was verified.
• Ensure all parts of the Reporting Instructions are addressed.
• Ensure the response covers all applicable system components.
• Perform an internal quality assurance review of the ROC for clarity, accuracy, and quality.
• Provide useful, meaningful diagrams, as directed.
• Don’t simply repeat or echo the security requirement in the response.
• Don’t copy responses from one requirement to another.
• Don’t copy responses from previous assessments.
• Don’t include information irrelevant to the assessment.
• Use this Reporting Template when assessing against v3.0 of the Card Production and Provisioning Security Requirements.
• Complete all sections in the order specified.
• Read and understand the intent of each requirement and testing procedure.
• Provide a response for every security requirement.
• Provide sufficient detail and information to support the designated finding, but be concise.
• Describe how a Requirement was verified per the Reporting Instruction, not just that it was verified.
• Ensure all parts of the Reporting Instructions are addressed.
• Ensure the response covers all applicable system components.
• Perform an internal quality assurance review of the ROC for clarity, accuracy, and quality.
• Provide useful, meaningful diagrams, as directed.
• Don’t simply repeat or echo the security requirement in the response.
• Don’t copy responses from one requirement to another.
• Don’t copy responses from previous assessments.
• Don’t include information irrelevant to the assessment.
Removed
p. 8
• Company name: Payment Brand Identification Code:
Removed
p. 8
• Secondary Assessor:
• Secondary Assessor:
Assessor Quality Assurance (QA) Primary Reviewer for this specific report (not the QA Contact for the CPSA)
• Secondary Assessor:
Assessor Quality Assurance (QA) Primary Reviewer for this specific report (not the QA Contact for the CPSA)
Modified
p. 9 → 4
• Timeframe of assessment (start date to completion date): Start date (yyyy/mm/dd): Completion date (yyyy/mm/dd):
• Timeframe of assessment (start date to completion date):
Modified
p. 9 → 4
• If remotely, state the rationale:
• If remote, state the rational:
Modified
p. 9 → 4
• If applicable, identify date(s) spent onsite at the entity: Start date (yyyy/mm/dd): Completion date (yyyy/mm/dd):
• If applicable, identify date(s) spent onsite at the entity:
Removed
p. 11
2. Summary of Non-Compliance Findings Please use the table on the following page to report, covering all sections under each heading. Write up findings and list non-compliances
• including the section reference number the non-compliance relates to
•within the findings text as each non-compliance occurs. List all non- compliances in order, including the relevant section reference number the non-compliance
•for example:
• including the section reference number the non-compliance relates to
•within the findings text as each non-compliance occurs. List all non- compliances in order, including the relevant section reference number the non-compliance
•for example:
Removed
p. 11
C.5.2.1.b The network topology diagram is not reviewed, updated, and verified at least once each year.
C.5.15.g Recovery procedures for an alternate SOC site do not require the site to be VPA approved prior to the initiation of SOC activities.
Notes for Consideration
• Please ensure non-compliances are written exactly as the examples above and be as specific as possible down to the exact bullet that covers the non-compliance.
• Also list items that are not non-compliances but are items that either the assessor is unsure of, or the vendor has discussed with the assessor and questions arising from this discussion can only be answered by the applicable payment brands(s). This section is optional, so if not required, please delete it from the report.
C.5.15.g Recovery procedures for an alternate SOC site do not require the site to be VPA approved prior to the initiation of SOC activities.
Notes for Consideration
• Please ensure non-compliances are written exactly as the examples above and be as specific as possible down to the exact bullet that covers the non-compliance.
• Also list items that are not non-compliances but are items that either the assessor is unsure of, or the vendor has discussed with the assessor and questions arising from this discussion can only be answered by the applicable payment brands(s). This section is optional, so if not required, please delete it from the report.
Removed
p. 14
3. Inspection Overview 3.1 Facility Description The auditor must provide a general description of the vendor facility and Card Production and Provisioning environment. For example, “The facility consists of multiple buildings, and card production activities are performed in one building consisting of a High Security Area for Card Production and Provisioning. Administration functions are performed external to the HSA. The vendor being audited is the only occupant of this building.” The introduction must also include any unusual conditions that may impact the audit scope or compliance assessment process. For example, “First audit after relocation, significant expansion / reconfiguration of the HAS, significant changes to key personnel, introduction of new technologies,” and any other unusual conditions.
• Vendor Facility and Card Production and Provisioning Environment
• Conditions that may Impact Audit Scope
• Vendor Facility and Card Production and Provisioning Environment
• Conditions that may Impact Audit Scope
Removed
p. 15
Document Name (including version, if applicable) Brief description of document purpose Document date (latest version)
Removed
p. 17
Employee Name Role/Job Title Organization Summary of Topics Covered / Areas or Systems of Expertise (high-level summary only)
Removed
p. 19
4. Validating the Requirements The validation methods identified for each requirement describe the expected activities to be performed by the assessor to validate whether the entity has met the requirement. The intent behind each validation method is described as follows:
• Examine: The assessor critically evaluates data evidence. Common examples include documents (electronic or physical), screenshots, configuration files, audit logs, and data files.
• Observe: The assessor watches an action or views something in the environment. Examples of observation subjects include personnel performing a task or process, system components performing a function or responding to input, system configurations/settings, environmental conditions, and physical controls.
• Interview: The assessor converses with individual personnel. Interview objectives may include confirmation of whether an activity is performed, descriptions of how an activity is performed, and whether personnel have particular knowledge or understanding.
The validation methods are intended to allow the assessed entity to demonstrate how it has met a …
• Examine: The assessor critically evaluates data evidence. Common examples include documents (electronic or physical), screenshots, configuration files, audit logs, and data files.
• Observe: The assessor watches an action or views something in the environment. Examples of observation subjects include personnel performing a task or process, system components performing a function or responding to input, system configurations/settings, environmental conditions, and physical controls.
• Interview: The assessor converses with individual personnel. Interview objectives may include confirmation of whether an activity is performed, descriptions of how an activity is performed, and whether personnel have particular knowledge or understanding.
The validation methods are intended to allow the assessed entity to demonstrate how it has met a …
Removed
p. 20
a) Only activities related to SOC and SCR operations shall occur within the SOC perimeter.
Note: SCR activities are not required to occur within the SOC environment.
Select Observe to verify that only activities related to SOC and SCR operations occur within the SOC perimeter.
Interview personnel to verify that only activities related to SOC and SCR operations occur within the SOC perimeter.
b) SOCs must only monitor facilities that are owned and operated by the card vendor who operates the SOC.
Select Examine documentation to verify that facilities monitored are owned and operated by the card vendor who operates the SOC.
Interview personnel to verify that the SOC only monitors facilities that are owned and operated by the card vendor who operates the SOC.
c) SOCs must only monitor card production facilities that are either VPA- approved or are seeking VPA approval.
Select Examine documentation to identify which vendor facilities are VPA-approved and list them for VPA …
Note: SCR activities are not required to occur within the SOC environment.
Select Observe to verify that only activities related to SOC and SCR operations occur within the SOC perimeter.
Interview personnel to verify that only activities related to SOC and SCR operations occur within the SOC perimeter.
b) SOCs must only monitor facilities that are owned and operated by the card vendor who operates the SOC.
Select Examine documentation to verify that facilities monitored are owned and operated by the card vendor who operates the SOC.
Interview personnel to verify that the SOC only monitors facilities that are owned and operated by the card vendor who operates the SOC.
c) SOCs must only monitor card production facilities that are either VPA- approved or are seeking VPA approval.
Select Examine documentation to identify which vendor facilities are VPA-approved and list them for VPA …
Modified
p. 23 → 5
Section C.2: Physical Construction
Section C.2: Physical Construction Facilities
Removed
p. 24
Section C.2 Requirement Card Vendor Self-Evaluation Test Procedure Assessor Compliance Evaluation Comply Comments Result Comment/Non-Compliance Assessment C.2.2 Structural requirements The vendor must ensure that:
a) The perimeter walls of the SOC must be concrete or of a similar construction of equivalent resistance.
Select Examine documentation for the design of the SOC perimeter walls to verify they are constructed of concrete or a similar construction of equivalent resistance.
Observe the perimeter walls to verify the design is constructed as stated above.
b) Doors, frames, locks, and door closers fitted with ACS must all be of reasonable quality and strength to be effective.
Select Observe the doors, frames, locks, and door closers fitted with ACS to verify the construction are of reasonable quality and strength to be effective
c) Fail-secure doors must be used that will not release in the event of emergency egress or power failure⎯i.e., the default state is the door stays locked.
Select Observe that fail-secure …
a) The perimeter walls of the SOC must be concrete or of a similar construction of equivalent resistance.
Select Examine documentation for the design of the SOC perimeter walls to verify they are constructed of concrete or a similar construction of equivalent resistance.
Observe the perimeter walls to verify the design is constructed as stated above.
b) Doors, frames, locks, and door closers fitted with ACS must all be of reasonable quality and strength to be effective.
Select Observe the doors, frames, locks, and door closers fitted with ACS to verify the construction are of reasonable quality and strength to be effective
c) Fail-secure doors must be used that will not release in the event of emergency egress or power failure⎯i.e., the default state is the door stays locked.
Select Observe that fail-secure …
Removed
p. 39
c) A CISO must be designated to be responsible for all security matters related to the SOC.
Select Examine applicable policies and procedures to verify that a senior manager has been designated as CISO responsible for all security matters related to the SOC.
Interview the CISO to determine their understanding of their roles and responsibilities.
d) The CISO must be an employee of the vendor.
e) A dedicated supervisor must be working in a SOC whenever the SOCs are operational. The supervisor’s role is:
• Coordinating incident management responses.
• Coordinating incident management responses.
• Functioning as the initial point of escalation of security events for the SOCs.
• Functioning as the Initial point of escalation of security events for the SOCs.
Select Examine applicable policies and procedures to verify that individuals have been designated as dedicated supervisors to work in the SOC whenever the SOCs are operational.
Interview at least one dedicated supervisor to determine his or her understanding …
Select Examine applicable policies and procedures to verify that a senior manager has been designated as CISO responsible for all security matters related to the SOC.
Interview the CISO to determine their understanding of their roles and responsibilities.
d) The CISO must be an employee of the vendor.
e) A dedicated supervisor must be working in a SOC whenever the SOCs are operational. The supervisor’s role is:
• Coordinating incident management responses.
• Coordinating incident management responses.
• Functioning as the initial point of escalation of security events for the SOCs.
• Functioning as the Initial point of escalation of security events for the SOCs.
Select Examine applicable policies and procedures to verify that individuals have been designated as dedicated supervisors to work in the SOC whenever the SOCs are operational.
Interview at least one dedicated supervisor to determine his or her understanding …
Removed
p. 99
Section C.8 Requirement Card Vendor Self-Evaluation Test Procedure Assessor Compliance Evaluation Comply Comments Result Comment/Non-Compliance Assessment C.8.3 Performance Testing
a) Each SOC must test quarterly to ensure that the level of resilience and redundancy is of sufficient adequacy to ensure continued operation for the support of the defined managed vendor facilities. The testing must include, but not limited to:
• Application performance when switched between SOCs and/or the defined managed vendor facilities.
• Application performance when switched between SOCs and/or the defined managed vendor facilities.
• Hardware performance to ensure appropriate levels of redundancy which minimizes impacts of SOC and/or the defined managed vendor facility operations for potential outages.
• Hardware performance to ensure appropriate levels of redundancy which minimizes impacts of SOC and/or the defined managed vendor facility operations for potential outages.
Select Examine documentation to verify that each SOC tests quarterly to ensure that the level of resilience and redundancy is of sufficient adequacy …
a) Each SOC must test quarterly to ensure that the level of resilience and redundancy is of sufficient adequacy to ensure continued operation for the support of the defined managed vendor facilities. The testing must include, but not limited to:
• Application performance when switched between SOCs and/or the defined managed vendor facilities.
• Application performance when switched between SOCs and/or the defined managed vendor facilities.
• Hardware performance to ensure appropriate levels of redundancy which minimizes impacts of SOC and/or the defined managed vendor facility operations for potential outages.
• Hardware performance to ensure appropriate levels of redundancy which minimizes impacts of SOC and/or the defined managed vendor facility operations for potential outages.
Select Examine documentation to verify that each SOC tests quarterly to ensure that the level of resilience and redundancy is of sufficient adequacy …
Removed
p. 100
c) For each test performed above, a report must be created which details the following points:
• Scope of test (included the location tested/reviewed).
• Scope of test (included the location tested/reviewed).
• Names of all individuals who were involved in the test/review.
• Names of all individuals who were involved in the test/review.
• Date of the test/review.
• Date of the test/review.
• Evidence of the performance of the scoped area.
• Evidence of the performance of the scoped area.
• List of all issues that require action.
• List of all issues that require action.
Select Examine documentation to verify that the SOC produces a report that details the following for this Performance Testing Section:
d) Each reported issue must be categorized and suitable timescales applied, as defined in the vendor policies.
Select Examine documentation to verify that each reported issue must be categorized and suitable timescales applied, as defined in the vendor policies.
e) The Corporate Security Director must review …
• Scope of test (included the location tested/reviewed).
• Scope of test (included the location tested/reviewed).
• Names of all individuals who were involved in the test/review.
• Names of all individuals who were involved in the test/review.
• Date of the test/review.
• Date of the test/review.
• Evidence of the performance of the scoped area.
• Evidence of the performance of the scoped area.
• List of all issues that require action.
• List of all issues that require action.
Select Examine documentation to verify that the SOC produces a report that details the following for this Performance Testing Section:
d) Each reported issue must be categorized and suitable timescales applied, as defined in the vendor policies.
Select Examine documentation to verify that each reported issue must be categorized and suitable timescales applied, as defined in the vendor policies.
e) The Corporate Security Director must review …