PCI Watch

Tracking changes across the Payment Card Industry

Document Comparison

PCI_CP_ROC_v3.0_Reporting_Template_Physical.pdf PCI_CP_ROC_v3.0_Reporting_Template_Physical_Form.pdf
82% similar
199 → 203 Pages
59069 → 59281 Words
27 Content Changes

Content Changes

27 content changes. 11 administrative changes (dates, page numbers) hidden.

Added p. 76
Section 2 Requirement Card Vendor Self- Evaluation Test Procedure Assessor Compliance Evaluation Comply Comments Result Comment/Non-Compliance Assessment 2.3.5.4 PIN Mailer Production Room
Added p. 80
Section 2 Requirement Card Vendor Self- Evaluation Test Procedure Assessor Compliance Evaluation Comply Comments Result Comment/Non-Compliance Assessment 2.3.5.6 Vault The vault is the primary security area in the vendor facility.
Added p. 101
Section 2 Requirement Card Vendor Self- Evaluation Test Procedure Assessor Compliance Evaluation Comply Comments Result Comment/Non-Compliance Assessment 2.4.3.1 Activity Reports
Added p. 111
Section 2 Requirement Card Vendor Self- Evaluation Test Procedure Assessor Compliance Evaluation Comply Comments Result Comment/Non-Compliance Assessment 2.4.6 Closed Circuit Television (CCTV) 2.4.6.1 CCTV Cameras

Section 2 Requirement Card Vendor Self- Evaluation Test Procedure Assessor Compliance Evaluation Comply Comments Result Comment/Non-Compliance Assessment 2.4.6.2 Monitor, Camera, and Digital Recorder Requirements
Added p. 181
• must be performed in the personalization HSA or in a separate HSA that meets the physical and logical requirements for a personalization HSA.
Modified p. 40
f) At a minimum, the vendor must make visitors aware of vendor security and confidentiality requirements, and the vendor-provided escort must ensure the visitor’s adherence to those requirements.
a) At a minimum, the vendor must make visitors aware of vendor security and confidentiality requirements, and the vendor-provided escort must ensure the visitor’s adherence to those requirements.
Modified p. 45
Section 2 Requirement Card Vendor Self-Evaluation Test Procedure Assessor Compliance Evaluation Comply Comments Result Comment/Non-Compliance Assessment 2.1 External Structure 2.1.1 External Construction
Section 2 Requirement Card Vendor Self- Evaluation Test Procedure Assessor Compliance Evaluation Comply Comments Result Comment/Non-Compliance Assessment 2.1 External Structure 2.1.1 External Construction
Modified p. 48
Section 2 Requirement Card Vendor Self-Evaluation Test Procedure Assessor Compliance Evaluation Comply Comments Result Comment/Non-Compliance Assessment 2.1.3 External Walls, Doors, and Windows
Section 2 Requirement Card Vendor Self- Evaluation Test Procedure Assessor Compliance Evaluation Comply Comments Result Comment/Non-Compliance Assessment 2.1.3 External Walls, Doors, and Windows
Removed p. 49
Section 2 Requirement Card Vendor Self-Evaluation Test Procedure Assessor Compliance Evaluation Comply Comments Result Comment/Non-Compliance Assessment
Modified p. 50
Section 2 Requirement Card Vendor Self-Evaluation Test Procedure Assessor Compliance Evaluation Comply Comments Result Comment/Non-Compliance Assessment 2.2.1 Emergency Exits
Section 2 Requirement Card Vendor Self- Evaluation Test Procedure Assessor Compliance Evaluation Comply Comments Result Comment/Non-Compliance Assessment 2.2.1 Emergency Exits
Modified p. 56 → 57
Section 2 Requirement Card Vendor Self-Evaluation Test Procedure Assessor Compliance Evaluation Comply Comments Result Comment/Non-Compliance Assessment 2.3.2 Security Control Room This is the room housing the primary CCTV monitoring systems, intrusion, fire, and alarm-system control and access-control systems.
Section 2 Requirement Card Vendor Self- Evaluation Test Procedure Assessor Compliance Evaluation Comply Comments Result Comment/Non-Compliance Assessment 2.3.2 Security Control Room This is the room housing the primary CCTV monitoring systems, intrusion, fire, and alarm-system control and access-control systems.
Removed p. 60
Section 2 Requirement Card Vendor Self-Evaluation Test Procedure Assessor Compliance Evaluation Comply Comments Result Comment/Non-Compliance Assessment
Modified p. 62 → 63
Section 2 Requirement Card Vendor Self-Evaluation Test Procedure Assessor Compliance Evaluation Comply Comments Result Comment/Non-Compliance Assessment 2.3.3 High Security Areas (HSAs) Areas in production facility where card products, components, or data are stored or processed are called high security areas. Only card production and provisioning-related activities shall take place within the HSA.
Section 2 Requirement Card Vendor Self- Evaluation Test Procedure Assessor Compliance Evaluation Comply Comments Result Comment/Non-Compliance Assessment 2.3.3 High Security Areas (HSAs) Areas in production facility where card products, components, or data are stored or processed are called high security areas. Only card production and provisioning-related activities shall take place within the HSA.
Modified p. 64 → 65
Section 2 Requirement Card Vendor Self-Evaluation Test Procedure Assessor Compliance Evaluation Comply Comments Result Comment/Non-Compliance Assessment 2.3.4 HSA

• Security Protection and Access Procedures 2.3.4.1 Access Control
Section 2 Requirement Card Vendor Self- Evaluation Test Procedure Assessor Compliance Evaluation Comply Comments Result Comment/Non-Compliance Assessment 2.3.4 HSA

• Security Protection and Access Procedures 2.3.4.1 Access Control
Modified p. 84 → 86
Section 2 Requirement Card Vendor Self-Evaluation Test Procedure Assessor Compliance Evaluation Comply Comments Result Comment/Non-Compliance Assessment 2.3.6 Other Areas 2.3.6.1 Goods-tools Traps Goods-tools trap configuration options are as follows:
Section 2 Requirement Card Vendor Self- Evaluation Test Procedure Assessor Compliance Evaluation Comply Comments Result Comment/Non-Compliance Assessment 2.3.6 Other Areas 2.3.6.1 Goods-tools Traps Goods-tools trap configuration options are as follows:
Modified p. 90 → 93
Section 2 Requirement Card Vendor Self-Evaluation Test Procedure Assessor Compliance Evaluation Comply Comments Result Comment/Non-Compliance Assessment 2.4 Internal Security 2.4.1 Alarm Systems
Section 2 Requirement Card Vendor Self- Evaluation Test Procedure Assessor Compliance Evaluation Comply Comments Result Comment/Non-Compliance Assessment 2.4 Internal Security 2.4.1 Alarm Systems
Removed p. 99
Section 2 Requirement Card Vendor Self-Evaluation Test Procedure Assessor Compliance Evaluation Comply Comments Result Comment/Non-Compliance Assessment 2.4.3.2 System Administration The vendor must ensure that:

Section 2 Requirement Card Vendor Self-Evaluation Test Procedure Assessor Compliance Evaluation Comply Comments Result Comment/Non-Compliance Assessment 2.4.3.3 Remote-access Controls
Modified p. 102 → 105
Section 2 Requirement Card Vendor Self-Evaluation Test Procedure Assessor Compliance Evaluation Comply Comments Result Comment/Non-Compliance Assessment 2.4.4 Duress Buttons 2.4.4.1 Location Duress buttons must be located in the following areas:
Section 2 Requirement Card Vendor Self- Evaluation Test Procedure Assessor Compliance Evaluation Comply Comments Result Comment/Non-Compliance Assessment 2.4.4 Duress Buttons 2.4.4.1 Location Duress buttons must be located in the following areas:
Modified p. 104 → 107
Section 2 Requirement Card Vendor Self-Evaluation Test Procedure Assessor Compliance Evaluation Comply Comments Result Comment/Non-Compliance Assessment 2.4.5 Locks and Keys 2.4.5.1 Key Receipt and Return The term ”key” as used below refers to any physical key or combination giving access to a restricted area, including those inside the HSA or cloud-based provisioning area.
Section 2 Requirement Card Vendor Self- Evaluation Test Procedure Assessor Compliance Evaluation Comply Comments Result Comment/Non-Compliance Assessment 2.4.5 Locks and Keys 2.4.5.1 Key Receipt and Return The term ”key” as used below refers to any physical key or combination giving access to a restricted area, including those inside the HSA or cloud-based provisioning area.
Modified p. 112 → 116
Section 2 Requirement Card Vendor Self-Evaluation Test Procedure Assessor Compliance Evaluation Comply Comments Result Comment/Non-Compliance Assessment 2.4.7 Security Device Inspections 2.4.7.1 Semi-Annual Inspections
Section 2 Requirement Card Vendor Self- Evaluation Test Procedure Assessor Compliance Evaluation Comply Comments Result Comment/Non-Compliance Assessment 2.4.7 Security Device Inspections 2.4.7.1 Semi-Annual Inspections
Modified p. 113 → 117
Section 2 Requirement Card Vendor Self-Evaluation Test Procedure Assessor Compliance Evaluation Comply Comments Result Comment/Non-Compliance Assessment 2.4.7.2 Battery Testing
Section 2 Requirement Card Vendor Self- Evaluation Test Procedure Assessor Compliance Evaluation Comply Comments Result Comment/Non-Compliance Assessment 2.4.7.2 Battery Testing
Modified p. 178 → 182
Select Examine documentation to verify that clear- text PINs are never to be available on any system on the personalization network.
Select Examine documentation to verify that clear-text PINs are never to be available on any system on the personalization network.
Modified p. 179 → 183
Section 5 Requirement Card Vendor Self-Evaluation Test Procedure Assessor Compliance Evaluation Comply Comments Result Comment/Non-Compliance Assessment 5.8 PINs must be deleted from the PIN-printing system immediately after printing using a secure erasure tool that prevents recovery of the PIN using forensic techniques or off-the-shelf recovery software.
Section 5 Requirement Card Vendor Self-Evaluation Test Procedure Assessor Compliance Evaluation Comply Comments Result Comment/Non-Compliance Assessment 5.8 PINs must be deleted from the PIN-printing system immediately after printing using a secure erasure tool that prevents recovery of the PIN using forensic techniques or off-the- shelf recovery software.
Modified p. 179 → 183
Select Examine documentation to verify that clear- text PINs are not stored.
Select Examine documentation to verify that clear-text PINs are not stored.
Modified p. 180 → 184
a) The personalization HSA Select Examine documentation to verify that clear- text PINs only exist within a single integrated device.
a) The personalization HSA Select Examine documentation to verify that clear-text PINs only exist within a single integrated device.
Modified p. 180 → 184
c) A separate HSA that meets the physical and logical requirements for a personalization HSA Select Observe the separate HSA to verify set-up of the separate HSA meets the physical and logical requirements for a personalization HSA.
c) A separate HSA that meets the physical and logical requirements for a personalization HSA Select Observe the separate HSA to verify set- up of the separate HSA meets the physical and logical requirements for a personalization HSA.
Modified p. 181 → 185
Select Observe the PIN-printing process to verify that the PIN is concealed in tamper-evident packaging:
Select Observe the PIN-printing process to verify that the PIN is concealed in tamper- evident packaging: