Document Comparison
PCI-DSS-v4_0-ROC-Template.pdf
→
PCI-DSS-v4-0-ROC-Template-r1.pdf
96% similar
492 → 486
Pages
105559 → 104793
Words
65
Content Changes
From Revision History
- February 2014 PCI DSS 3.0, Revision 1.0 To introduce the template for submitting Reports on Compliance.
- April 2015 PCI DSS 3.1, Revision 1.0 Revision to align with changes from PCI DSS 3.0 to PCI DSS 3.1 (see PCI DSS – Summary of Changes from PCI DSS
- December 2022 PCI DSS 4.0 Revision 1 Updates include minor clarifications, corrections to typographical errors, and removal of In Place with Remediation as a
- December 2022 © 2006 - 2022 PCI Security Standards Council, LLC. All rights reserved. Page iii
Content Changes
65 content changes. 295 administrative changes (dates, page numbers) hidden.
Added
p. 2
December 2022 PCI DSS 4.0 Revision 1 Updates include minor clarifications, corrections to typographical errors, and removal of In Place with Remediation as a reporting option.
Added
p. 110
<Enter Response Here> Requirement Description 3.4 Access to displays of full PAN and ability to copy PAN is restricted.
Added
p. 121
<Enter Response Here> Requirement Description 3.6 Cryptographic keys used to protect stored account data are secured.
Added
p. 150
<Enter Response Here> Testing Procedures Reporting Instructions Reporting Details: Assessor’s Response 4.2.1.1.a Examine documented policies and procedures to verify Identify the evidence reference number(s) from Section 6 for the documented <Enter Response Here>
Added
p. 305
<Enter Response Here> Testing Procedures Reporting Instructions Reporting Details: Assessor’s Response 9.4.1.2.a Examine documentation to verify that procedures are defined for reviewing the security of the offline Identify the evidence reference number(s) from Section 6 for all documentation examined for this testing procedure.
Added
p. 328
<Enter Response Here> Testing Procedures Reporting Instructions Reporting Details: Assessor’s Response 10.1.2.a Examine documentation to verify that descriptions of roles and responsibilities for performing Identify the evidence reference number(s) from Section 6 for all documentation examined for this testing procedure.
Added
p. 404
<Enter Response Here> Identify the evidence reference number(s) from Section 6 for all results from <Enter Response Here>
Added
p. 448
<Enter Response Here> Testing Procedures Reporting Instructions Reporting Details: Assessor’s Response 12.8.4.a Examine policies and procedures to verify that processes Identify the evidence reference number(s) from Section 6 for all policies and <Enter Response Here>
Added
p. 479
PCI DSS v4.0 Supplemental Report on Compliance Template - Designated Entities Supplemental Validation PCI DSS v4.0 Supplemental Attestation of Compliance for Report on Compliance - Designated Entities Supplemental Validation These documents are available in the PCI SSC Document Library.
Modified
p. 1
PCI DSS v4.0 Report on Compliance Template
PCI DSS v4.0 Report on Compliance Template Revision 1
Removed
p. 8
In Place with Remediation The requirement was Not in Place at some point during the PCI DSS assessment period of the entity, but where the entity remediated the issue such that the requirement was In Place before completion of the assessment. In all cases of In Place with Remediation, the assessor must have assurance that the entity has identified and addressed the reason that the control failed, has implemented the control, and has implemented ongoing processes to prevent re-occurrence of the control failure.
In Figure 1, the Assessment Finding at 1.1.1 is In Place with Remediation if all report findings are In Place only after the necessary remediations were performed for 1.1.1.a and 1.1.1.b or a combination of In Place with Remediation for one testing procedure and either In Place or Not Applicable for the other testing procedure.
Describe what was initially Not in Place and how the testing and evidence demonstrates …
In Figure 1, the Assessment Finding at 1.1.1 is In Place with Remediation if all report findings are In Place only after the necessary remediations were performed for 1.1.1.a and 1.1.1.b or a combination of In Place with Remediation for one testing procedure and either In Place or Not Applicable for the other testing procedure.
Describe what was initially Not in Place and how the testing and evidence demonstrates …
Modified
p. 9 → 8
In Figure 1, the Assessment Finding at 1.1.1 is Not Applicable if both 1.1.1.a and 1.1.1.b are concluded to be Not Applicable. A requirement is applicable if any aspects of the requirement apply to the environment being assessed, and a Not Applicable designation in the Assessment Findings should not be used in this scenario. Note: Requirements and/or individual bullets within a requirement noted as a best practice until its effective date are considered Not Applicable until the future date has …
In Figure 1, the Assessment Finding at 1.1.1 is Not Applicable if both 1.1.1.a and 1.1.1.b are concluded to be Not Applicable. A requirement is applicable if any aspects of the requirement apply to the environment being assessed, and a Not Applicable designation in the Assessment Findings should not be used in this scenario. Note: Requirements and/or individual bullets within a requirement noted as a best practice until its effective date are considered Not Applicable until the future date has …
Modified
p. 9
In Figure 1, the Assessment Finding at 1.1.1 is Not Tested” if either 1.1.1.a or 1.1.1.b are concluded to be Not Tested.
In Figure 1, the Assessment Finding at 1.1.1 is Not Tested if either 1.1.1.a or 1.1.1.b are concluded to be Not Tested.
Modified
p. 11 → 10
PCI DSS Requirement 1.1.1 Example Requirement Assessment Findings (select one) In Place In Place with Remediation Not Applicable Not Tested Not in Place Describe why the assessment finding was selected.
PCI DSS Requirement 1.1.1 Example Requirement Assessment Findings (select one) In Place Not Applicable Not Tested Not in Place Describe why the assessment finding was selected.
Modified
p. 16 → 15
The response would include the relevant item(s) requested. Example Reporting Instruction: “Identify the evidence reference number(s) from Section 6 for all documentation examined for this testing procedure.” Example Response: Doc-01 OR Doc-01 (CompanyXYZ Information Security Policy) Note: When a reference number is available, it is required; however, the assessor also has the option to list individual items in addition to the reference number.
The response would include the relevant item(s) requested. Example Reporting Instruction: “Identify the evidence reference number(s) from Section 6 for all documentation examined for this testing procedure.” Example Response: Doc-01 OR Doc-01 (Company XYZ Information Security Policy) Note: When a reference number is available, it is required; however, the assessor also has the option to list individual items in addition to the reference number.
Modified
p. 17 → 16
• Don’t select one of the In Place responses without verification that the requirement is met (plans to meet a requirement in the future do not warrant an In Place response)
• Don’t select the In Place response without verification that the requirement is met (plans to meet a requirement in the future do not warrant an In Place response)
Modified
p. 25 → 23
☐ Yes ☐ No If yes, identify the Assessor Company(s) utilized during the assessment.
☐ Yes ☐ No If yes, identify the Assessor Company(s) utilized during the assessment. <Enter Response Here> 1.6 Additional Information/Reporting Identify the number of consecutive years (including the current year) the QSA Company has issued ROCs for this entity.
Modified
p. 25 → 23
Overall Assessment Result (Select only one) Compliant: All sections of the PCI DSS ROC are complete, and all assessed requirements are marked as being either 1) In Place, 2) In Place with Remediation, or 3) Not Applicable, resulting in an overall COMPLIANT rating; thereby the assessed entity has demonstrated compliance with all PCI DSS requirements except those noted as Not Tested above.
Overall Assessment Result (Select only one) Compliant: All sections of the PCI DSS ROC are complete, and all assessed requirements are marked as being either In Place or Not Applicable, resulting in an overall COMPLIANT rating; thereby the assessed entity has demonstrated compliance with all PCI DSS requirements except those noted as Not Tested above.
Modified
p. 25 → 23
Compliant but with Legal Exception: One or more assessed requirements in the ROC are marked as Not in Place due to a legal restriction that prevents the requirement from being met and all other assessed requirements are marked as being either In Place or Not Applicable, resulting in an overall COMPLIANT BUT WITH LEGAL EXCEPTION rating, thereby the assessed entity has demonstrated compliance with all PCI DSS requirements except those noted as Not Tested above or as Not in Place …
Modified
p. 26 → 24
Select If Below Method(s) Was In Place In Place with Remediation Not Applicable Not Tested Not in Place Compensating Customized
Select If Below Method(s) Was In Place Not Applicable Not Tested Not in Place Compensating Customized
Modified
p. 27 → 25
Not Applicable Not Tested Not in Place Due to a Legal Restriction Not in Place Not Due to a Legal Restriction Compensating Customized <Enter Response Here> <Enter Response Here> <Enter Response Here> <Enter Response Here> <Enter Response Here> <Enter Response Here> Optional: Additional Assessor Comments This optional field is provided for the assessor to document any additional information that is relevant to the entity being assessed and that may or may not have impacted the findings of this assessment.
Modified
p. 30 → 28
• If it was included in a separate assessment. If none, mark as “Not Applicable.” <Enter Response Here> Identify if any factors that resulted in reducing or limiting scope (for example, segmentation of the environment, use of a P2PE solution, etc.) If none, mark as “Not Applicable.” <Enter Response Here>
• If it was included in a separate assessment. If none, mark as “Not Applicable.” <Enter Response Here> Identify any factors that resulted in reducing or limiting scope (for example, segmentation of the environment, use of a P2PE solution, etc.) If none, mark as “Not Applicable.” <Enter Response Here>
Modified
p. 37 → 35
Store, process, or transmit account data on the entity’s behalf (for example, payment gateways, payment processors, payment service providers [PSPs]) Manage system components included in the entity’s PCI DSS assessment (for example, via network security control services, anti-malware services, security incident and event management [SIEM], web-hosting companies, IaaS, PaaS, SaaS, FaaS, etc.) Could impact the security of the entity’s account data (for example, vendors providing support via remote access, and/or bespoke software developers).
Store, process, or transmit account data on the entity’s behalf (for example, payment gateways, payment processors, payment service providers [PSPs]) Manage system components included in the entity’s PCI DSS assessment (for example, via network security control services, anti- malware services, security incident and event management [SIEM], web-hosting companies, IaaS, PaaS, SaaS, FaaS, etc.) Could impact the security of the entity’s account data (for example, vendors providing support via remote access, and/or bespoke software developers).
Modified
p. 39 → 37
Network Name (In Scope) Type of Network Function/Purpose of Network <Enter Response Here> <Enter Response Here> <Enter Response Here> <Enter Response Here> <Enter Response Here> <Enter Response Here> <Enter Response Here> <Enter Response Here> <Enter Response Here> <Enter Response Here> <Enter Response Here> <Enter Response Here> <Enter Response Here> <Enter Response Here> <Enter Response Here>
Network Name (In Scope) Type of Network Function/Purpose of Network <Enter Response Here> <Enter Response Here> <Enter Response Here> <Enter Response Here> <Enter Response Here> <Enter Response Here> <Enter Response Here> <Enter Response Here> <Enter Response Here> <Enter Response Here> <Enter Response Here> <Enter Response Here> <Enter Response Here> <Enter Response Here> <Enter Response Here> 4.6 In-scope Locations/Facilities Identify and provide details for all types of physical locations/facilities (for example, retail locations, corporate offices, data centers, call centers and mail …
Modified
p. 40 → 38
Function Name Function Description <Enter Response Here> <Enter Response Here> <Enter Response Here> <Enter Response Here> <Enter Response Here> <Enter Response Here>
Function Name Function Description <Enter Response Here> <Enter Response Here> <Enter Response Here> <Enter Response Here> <Enter Response Here> <Enter Response Here> 4.8 In-scope System Component Types Identify all types of system components in scope.
Modified
p. 41 → 38
“System components” include network devices, servers, computing devices, virtual components, cloud components, and software. Examples of system components include but are not limited to:
“System components” include network devices, servers, computing devices, virtual components, cloud components, and software. Examples of system components include, but are not limited to:
Modified
p. 41 → 39
Applications, software, and software components, serverless applications, including all purchased, subscribed (for example, Software-as-a-Service), bespoke and custom software, including internal and external (for example, Internet) applications.
Applications, software, and software components, serverless applications, including all purchased, subscribed (for example, Software- as-a-Service), bespoke and custom software, including internal and external (for example, Internet) applications.
Modified
p. 44 → 42
<Enter Response Here> Assessor comments, if applicable: <Enter Response Here>
<Enter Response Here> Assessor comments, if applicable: <Enter Response Here> 5.2 Attestations of Scan Compliance The scans must cover all externally accessible (Internet-facing) IP addresses in existence at the entity, in accordance with the PCI DSS Approved Scanning Vendors (ASV) Program Guide.
Modified
p. 46 → 44
☐ Yes ☐ No 6.2 Documentation Evidence Identify all evidence for any testing procedure requiring a review of documents such as policies, procedures, standards, records, inventories, vendor documentation, and diagrams. Include the following: (Add rows as needed) Reference Number Document Name (including version, if applicable) Brief Description of Document Document Revision Date (if applicable) EXAMPLE: Doc-1 Company XPY Information Security Policy Information Security Policy 2021-02-18 <Enter Response Here> <Enter Response Here> <Enter Response Here> <Enter Response Here> <Enter Response Here> …
☐ Yes ☐ No 6.2 Documentation Evidence Identify all evidence for any testing procedure requiring a review of documents such as policies, procedures, standards, records, inventories, vendor documentation, and diagrams. Include the following: (Add rows as needed) Reference Number Document Name (including version, if applicable) Brief Description of Document Document Revision Date (if applicable) EXAMPLE: Doc-1 Company XPY Information Security Policy Information Security Policy 2021-02-18 <Enter Response Here> <Enter Response Here> <Enter Response Here> <Enter Response Here> <Enter Response Here> …
Modified
p. 47 → 45
Information Security Manager <Enter Response Here> <Enter Response Here> <Enter Response Here> <Enter Response Here> <Enter Response Here> <Enter Response Here> <Enter Response Here> <Enter Response Here> <Enter Response Here> <Enter Response Here> <Enter Response Here> <Enter Response Here> 6.4 Observation Evidence Identify all evidence for testing procedures requiring an observation, such as observation notes for observed processes. Include the following: (Add rows as needed) Reference Number Observed Process Brief Description of the Process EXAMPLE: Proc-1 Visitor Badge Process Process …
Information Security Manager <Enter Response Here> <Enter Response Here> <Enter Response Here> <Enter Response Here> <Enter Response Here> <Enter Response Here> <Enter Response Here> <Enter Response Here> <Enter Response Here> <Enter Response Here> <Enter Response Here> <Enter Response Here> <Enter Response Here> <Enter Response Here> <Enter Response Here> <Enter Response Here> 6.4 Observation Evidence Identify all evidence for testing procedures requiring an observation, such as observation notes for observed processes. Include the following: (Add rows as needed) Reference Number Title …
Modified
p. 103 → 101
• Coverage for any sensitive authentication data (SAD) stored prior to completion of authorization. This bullet is a best practice until its effective date; refer to Applicability Notes below for details.
• Coverage for any sensitive authentication data (SAD) stored prior to completion of authorization. This bullet is a best practice until 31 March 2025, after which it will be required as part of Requirement 3.2.1 and must be fully considered during a PCI DSS assessment.
Modified
p. 117 → 115
<Enter Response Here> Validation Method
• Defined Approach Indicate whether a Compensating Control was used: ☐ Yes ☐ No If “Yes”, Identify the aspect(s) of the requirement where the Compensating Control(s) was used.
• Defined Approach Indicate whether a Compensating Control was used: ☐ Yes ☐ No If “Yes”, Identify the aspect(s) of the requirement where the Compensating Control(s) was used.
<Enter Response Here> Validation Method
• Defined Approach Indicate whether a Compensating Control was used: ☐ Yes ☐ No If “Yes”, Identify the aspect(s) of the requirement where the Compensating Control(s) was used. Note: The use of Compensating Controls must also be documented in Appendix C.
• Defined Approach Indicate whether a Compensating Control was used: ☐ Yes ☐ No If “Yes”, Identify the aspect(s) of the requirement where the Compensating Control(s) was used. Note: The use of Compensating Controls must also be documented in Appendix C.
Modified
p. 121 → 119
• If used for non-removable electronic media, examine encryption processes used to verify that PAN is also rendered Identify the evidence reference number(s) from Section 6 for all encryption processes examined for this testing procedure.
• If used for non-removable electronic media, examine encryption processes used to verify that PAN is also rendered unreadable via another method that meets Requirement 3.5.1.
Modified
p. 125 → 123
• Preventing the use of the same cryptographic keys in production and test environments. This bullet is a best practice until its effective date; refer to Applicability Notes below for details.
• Preventing the use of the same cryptographic keys in production and test environments. This bullet is a best practice until 31 March 2025, after which it will be required as part of Requirement 3.6.1 and must be fully considered during a PCI DSS assessment.
Removed
p. 153
Identify the evidence reference number(s) from Section 6 for the documented policies and procedures examined for this testing procedure.
Modified
p. 153 → 151
4.2.1.1.b Examine the inventory of trusted keys and certificates to verify it is kept up to date.
Modified
p. 153 → 151
<Enter Response Here> Validation Method
• Customized Approach Indicate whether a Customized Approach was used: ☐ Yes ☐ No If “Yes”, Identify the aspect(s) of the requirement where the Customized Approach was used.
• Customized Approach Indicate whether a Customized Approach was used: ☐ Yes ☐ No If “Yes”, Identify the aspect(s) of the requirement where the Customized Approach was used.
<Enter Response Here> Validation Method
• Customized Approach Indicate whether a Customized Approach was used: ☐ Yes ☐ No If “Yes”, Identify the aspect(s) of the requirement where the Customized Approach was used. Note: The use of Customized Approach must also be documented in Appendix E.
• Customized Approach Indicate whether a Customized Approach was used: ☐ Yes ☐ No If “Yes”, Identify the aspect(s) of the requirement where the Customized Approach was used. Note: The use of Customized Approach must also be documented in Appendix E.
Modified
p. 192 → 189
<Enter Response Here> Identify the evidence reference number(s) from Section 6 for all documentation examined for this testing procedure.
<Enter Response Here> 6.3.1.b Interview responsible personnel, examine documentation, and observe processes to verify that Identify the evidence reference number(s) from Section 6 for all interview(s) conducted for this testing procedure.
Modified
p. 192 → 190
Identify the evidence reference number(s) from Section 6 for all interview(s) conducted for this testing procedure.
Identify the evidence reference number(s) from Section 6 for all documentation examined for this testing procedure.
Modified
p. 219 → 217
Testing Procedures Reporting Instructions Reporting Details: Assessor’s Response 7.2.1.a Examine documented policies and procedures and interview personnel to verify the access control model is defined in accordance with all elements specified in this requirement.
Modified
p. 235 → 232
Assessment Findings (select one) In Place In Place with Remediation Not Applicable Not Tested Not in Place
Assessment Findings (select one) In Place Not Applicable Not Tested Not in Place
Removed
p. 296
Assessment Findings (select one) In Place In Place with Remediation Not Applicable Not Tested Not in Place
Modified
p. 297 → 295
<Enter Response Here> 9.3.1.1.b Observe processes and interview personnel to verify that Identify the evidence reference number(s) from Section 6 for all observation(s) of processes for this testing procedure.
<Enter Response Here> 9.3.1.1.b Observe processes and interview personnel to verify that access of all personnel is revoked immediately upon termination.
Modified
p. 298 → 295
Identify the evidence reference number(s) from Section 6 for all interview(s) conducted for this testing procedure.
Identify the evidence reference number(s) from Section 6 for all observation(s) of processes for this testing procedure.
Modified
p. 298 → 296
<Enter Response Here> Validation Method
• Customized Approach Indicate whether a Customized Approach was used: ☐ Yes ☐ No
• Customized Approach Indicate whether a Customized Approach was used: ☐ Yes ☐ No
<Enter Response Here> Validation Method
• Customized Approach Indicate whether a Customized Approach was used: ☐ Yes ☐ No If “Yes”, Identify the aspect(s) of the requirement where the Customized Approach was used. Note: The use of Customized Approach must also be documented in Appendix E.
• Customized Approach Indicate whether a Customized Approach was used: ☐ Yes ☐ No If “Yes”, Identify the aspect(s) of the requirement where the Customized Approach was used. Note: The use of Customized Approach must also be documented in Appendix E.
Modified
p. 309 → 306
9.4.1.2.b Examine documented procedures, logs, or other documentation, and interview responsible personnel at the storage location(s) to verify that the storage location’s security is reviewed at least once every 12 months.
Modified
p. 323 → 320
PCI DSS Requirement 9.5.1.2 POI device surfaces are periodically inspected to detect tampering and unauthorized substitution. Note: This requirement is a best practice until 31 March 2025, after which it will be required and must be fully considered during a PCI DSS assessment.
PCI DSS Requirement 9.5.1.2 POI device surfaces are periodically inspected to detect tampering and unauthorized substitution.
Modified
p. 325 → 322
PCI DSS Requirement 9.5.1.2.1 The frequency of periodic POI device inspections and the type of inspections performed is defined in the entity’s targeted risk analysis, which is performed according to all elements specified in Requirement 12.3.1.
PCI DSS Requirement 9.5.1.2.1 The frequency of periodic POI device inspections and the type of inspections performed is defined in the entity’s targeted risk analysis, which is performed according to all elements specified in Requirement 12.3.1. Note: This requirement is a best practice until 31 March 2025, after which it will be required and must be fully considered during a PCI DSS assessment.
Modified
p. 332 → 329
Identify the evidence reference number(s) from Section 6 for all documentation examined for this testing procedure.
Identify the evidence reference number(s) from Section 6 for all interview(s) conducted for this testing procedure.
Modified
p. 332 → 329
10.1.2.b Interview personnel with responsibility for performing activities in Requirement 10 to verify that roles and responsibilities are assigned as defined and are understood.
Modified
p. 337 → 334
<Enter Response Here> Validation Method
• Defined Approach Indicate whether a Compensating Control was used: ☐ Yes ☐ No If “Yes”, Identify the aspect(s) of the requirement where the Compensating Control(s) was used.
• Defined Approach Indicate whether a Compensating Control was used: ☐ Yes ☐ No If “Yes”, Identify the aspect(s) of the requirement where the Compensating Control(s) was used.
<Enter Response Here> Validation Method
• Defined Approach Indicate whether a Compensating Control was used: ☐ Yes ☐ No If “Yes”, Identify the aspect(s) of the requirement where the Compensating Control(s) was used. Note: The use of Compensating Controls must also be documented in Appendix C.
• Defined Approach Indicate whether a Compensating Control was used: ☐ Yes ☐ No If “Yes”, Identify the aspect(s) of the requirement where the Compensating Control(s) was used. Note: The use of Compensating Controls must also be documented in Appendix C.
Removed
p. 408
Assessment Findings (select one) In Place In Place with Remediation Not Applicable Not Tested Not in Place
Modified
p. 408 → 405
11.5.2.b Examine settings for the change-detection mechanism to verify it is configured in accordance with all elements specified in this requirement.
Modified
p. 426 → 423
<Enter Response Here> Testing Procedures Reporting Instructions Reporting Details: Assessor’s Response 12.4.1 Additional testing procedure for service provider assessments only: Examine documentation to verify that executive management has established responsibility for the protection of cardholder data and a PCI DSS compliance program in Identify the evidence reference number(s) from Section 6 for all documentation examined for this testing procedure.
<Enter Response Here> Testing Procedures Reporting Instructions Reporting Details: Assessor’s Response 12.4.1 Additional testing procedure for service provider assessments only: Examine documentation to verify that executive management has established responsibility for the protection of cardholder data and a PCI DSS compliance program in accordance with all elements specified in this requirement.
Modified
p. 446 → 442
Assessment Findings (select one) In Place In Place with Remediation Not Applicable Not Tested Not in Place Describe why the assessment finding was selected. Note: Include all details as noted in the “Required Reporting” column of the table in Assessment Findings in the ROC Template Instructions.
Assessment Findings (select one) In Place Not Applicable Not Tested Not in Place Describe why the assessment finding was selected. <Enter Response Here>
Modified
p. 446 → 443
• Customized Approach Indicate whether a Customized Approach was used: ☐ Yes ☐ No If “Yes”, Identify the aspect(s) of the requirement where the Customized Approach was used. Note: The use of Customized Approach must also be documented in Appendix E.
Validation Method
• Customized Approach Indicate whether a Customized Approach was used: ☐ Yes ☐ No If “Yes”, Identify the aspect(s) of the requirement where the Customized Approach was used. Note: The use of Customized Approach must also be documented in Appendix E.
• Customized Approach Indicate whether a Customized Approach was used: ☐ Yes ☐ No If “Yes”, Identify the aspect(s) of the requirement where the Customized Approach was used. Note: The use of Customized Approach must also be documented in Appendix E.
Modified
p. 448 → 444
<Enter Response Here> Testing Procedures Reporting Instructions Reporting Details: Assessor’s Response 12.8.1.a Examine policies and procedures to verify that processes are defined to maintain a list of TPSPs, including a description for each of the services provided, for all TPSPs with whom account data is shared or that could affect the security of account data.
<Enter Response Here> Testing Procedures Reporting Instructions Reporting Details: Assessor’s Response 12.8.1.a Examine policies and procedures to verify that processes Identify the evidence reference number(s) from Section 6 for all policies and <Enter Response Here>
Modified
p. 448 → 445
Identify the evidence reference number(s) from Section 6 for all policies and procedures examined for this testing procedure.
Identify the evidence reference number(s) from Section 6 for all documentation examined for this testing procedure.
Modified
p. 448 → 445
12.8.1.b Examine documentation to verify that a list of all TPSPs is maintained that includes a description of the services provided.
Removed
p. 453
Identify the evidence reference number(s) from Section 6 for all policies and procedures examined for this testing procedure.
Modified
p. 453 → 449
12.8.4.b Examine documentation and interview responsible personnel to verify that the PCI DSS compliance status of each TPSP is monitored at least once every 12 months.
Modified
p. 456 → 451
<Enter Response Here> Testing Procedures Reporting Instructions Reporting Details: Assessor’s Response 12.9.1 Additional testing procedure for service provider assessments only: Examine TPSP policies, procedures, and templates used for written agreements to verify processes are defined for the TPSP to provide written acknowledgments to customers in accordance with all elements specified in this requirement.
<Enter Response Here> Testing Procedures Reporting Instructions Reporting Details: Assessor’s Response 12.9.1 Additional testing procedure for service provider assessments only: Examine TPSP policies, procedures, and templates used for written agreements to verify processes are defined for the TPSP to provide written acknowledgments to customers in accordance with all Identify the evidence reference number(s) from Section 6 for all TPSP policies, procedures, and templates used for written agreements examined for this testing procedure.
Modified
p. 474 → 469
<Enter Response Here> Validation Method
• Customized Approach Indicate whether a Customized Approach was used: ☐ Yes ☐ No
• Customized Approach Indicate whether a Customized Approach was used: ☐ Yes ☐ No
<Enter Response Here> Validation Method
• Customized Approach Indicate whether a Customized Approach was used: ☐ Yes ☐ No If “Yes”, Identify the aspect(s) of the requirement where the Customized Approach was used.
• Customized Approach Indicate whether a Customized Approach was used: ☐ Yes ☐ No If “Yes”, Identify the aspect(s) of the requirement where the Customized Approach was used.
Removed
p. 484
Reporting Template for use with the PCI DSS Designated Entities Supplemental Validation Supplemental Attestation of Compliance for Onsite Assessments
• Designated Entities These documents are available in the PCI SSC Document Library.
• Designated Entities These documents are available in the PCI SSC Document Library.
Modified
p. 486 → 481
The assessor is required to thoroughly evaluate compensating controls during each annual PCI DSS assessment to confirm that each compensating control adequately addresses the risk that the original PCI DSS requirement was designed to address, per items 1-5 above.
The assessor is required to thoroughly evaluate compensating controls during each annual PCI DSS assessment to confirm that each compensating control adequately addresses the risk that the original PCI DSS requirement was designed to address, per items 1-6 above.