PCI Watch

Tracking changes across the Payment Card Industry

Document Comparison

PCI-DSS-v4.x-Sample-Templates-Customized-Approach.pdf PCI-DSS-v4_x-Sample-Templates-Cust-App-r1.pdf
94% similar
7 → 7 Pages
2264 → 2326 Words
13 Content Changes

Content Changes

13 content changes. 6 administrative changes (dates, page numbers) hidden.

Added p. 1
As described in PCI DSS v4.x Appendix D: Customized Approach, entities using the customized approach must complete a controls matrix to provide details for each implemented control that explain what is implemented, how the entity has determined that the controls meet the stated objective of a PCI DSS requirement, how the control provides at least the equivalent level of protection as would be achieved by meeting the defined requirement, and how the entity has assurance about the effectiveness of the control on an ongoing basis.

<Entity includes details of individual personnel/roles and/or teams, as applicable, that manage, maintain, and monitor the control> If applicable, how is the control(s) an enhancement to any other PCI DSS control(s) already required for the item under review? <Entity describes how this control is an enhancement to any other PCI DSS control(s) required for the item under review >
Removed p. 1
As described in Appendix D: Customized Approach, entities using the customized approach must complete a controls matrix to provide details for each implemented control that explain what is implemented, how the entity has determined that the controls meet the stated objective of a PCI DSS requirement, how the control provides at least the equivalent level of protection as would be achieved by meeting the defined requirement, and how the entity has assurance about the effectiveness of the control on an ongoing basis.
Modified p. 1
PCI DSS v4.x Sample Templates to Support Customized Approach This document contains example templates for the controls matrix and a targeted risk analysis, to be documented by the entity as part of the customized approach. These templates are examples of formats that could be used.
PCI DSS v4.x Sample Templates to Support the Customized Approach This document contains example templates for the controls matrix and a targeted risk analysis, to be documented by the entity as part of the customized approach. These templates are examples of formats that could be used.
Modified p. 1
Sample Controls Matrix Template The following is a sample controls matrix template that an entity may use to document their customized implementation.
Customized Approach - Sample Controls Matrix Template The following is a sample controls matrix template that an entity may use to document their customized implementation.
Modified p. 2
Details of control(s) What is the implemented control(s)? <Entity describes what the control is and what it does> Where is the control(s) implemented? <Entity identifies locations of facilities and system components where control is implemented and managed> When is the control(s) performed? <Entity details how frequently the control is performed

• for example, runs continuously in real time or is scheduled to run at NN times and at XX intervals> Who has overall responsibility and accountability for the control(s)? <Entity includes …
Details of control(s) What is the implemented control(s)? &lt;Entity describes what the control is and what it does&gt; Where is the control(s) implemented? &lt;Entity identifies locations of facilities and system components where control is implemented and managed&gt; When is the control(s) performed? &lt;Entity details how frequently the control is performed

• for example, runs continuously in real time or is scheduled to run at NN times and at XX intervals&gt; Who has overall responsibility and accountability for the control(s)? &lt;Entity includes …
Modified p. 2 → 3
&lt;Entity describes how the control meets the stated customized approach objective of the PCI DSS requirement, and summarizes related results&gt;
<Entity describes how the control meets the stated customized approach objective of the PCI DSS requirement, and summarizes related results> Entity describes testing it performed and the results of that testing that demonstrates the control(s) meets the objective of the applicable requirement.
Modified p. 3
<Entity describes the testing it performed to prove the control meets the stated objective of the PCI DSS requirement, and summarizes related results> Entity briefly describes the results of the separate targeted risk analysis it performed that explains the control(s) implemented and describes how the results verify the control(s) provides at least an equivalent level of protection as the defined approach for the applicable PCI DSS requirement. See the separate Targeted Risk Analysis Template for details on how to document …
<Entity describes the testing it performed to prove the control meets the stated objective of the PCI DSS requirement, and summarizes related results> Entity briefly describes the results of the separate targeted risk analysis it performed that explains the control(s) implemented and describes how the results verify the control(s) provides at least an equivalent level of protection as the defined approach for the applicable PCI DSS requirement. See the separate Customized Approach - SampleTargeted Risk Analysis Template for details on …
Modified p. 4
As described in Appendix D: Customized Approach and in accordance with PCI DSS Requirement 12.3.2, an entity using the customized approach must provide a detailed targeted risk analysis for each requirement the entity is meeting with the customized approach. The risk analysis defines the risk, evaluates the effect on security if the defined requirement is not met, and describes how the entity has determined that the controls provide at least an equivalent level of protection as provided by the defined …
As described in PCI DSS v4.x Appendix D: Customized Approach, an entity using the customized approach must provide a detailed targeted risk analysis for each requirement the entity is meeting with the customized approach. The risk analysis defines the risk, describes how the entity has determined that the controls meet the Customized Approach Objective, and how the entity has determined that the controls provide at least an equivalent level of protection as the defined PCI DSS requirement.
Modified p. 4
The asset being protected is the cardholder data that is stored, processed, or transmitted by the entity.
The asset being protected is the cardholder data that is stored, processed, or transmitted by the entity.
Modified p. 4
The threat actor is highly motivated and capable. The motivation and capability of threat actors tends to increase in relation to the volume of cardholder data that a successful attack will realize.
The threat actor is highly motivated and capable. The motivation and capability of threat actors tends to increase in relation to the volume of cardholder data that a successful attack will realize.
Modified p. 4
The likelihood that an entity will be targeted by threat actors increases as the entity stores, processes, or transmits greater volumes of cardholder data.
The likelihood that an entity will be targeted by threat actors increases as the entity stores, processes, or transmits greater volumes of cardholder data.
Modified p. 4
The mischief is directly related to the objective. For example, if the objective is “malicious software cannot execute”, the mischief is that malicious software executes; if the objective is “day-to-day responsibilities for performing all the activities are allocated”, the mischief is that the responsibilities are not allocated.
The mischief is directly related to the objective. For example, if the objective is “malicious software cannot execute”, the mischief is that malicious software executes; if the objective is “day-to-day responsibilities for performing all the activities are allocated”, the mischief is that the responsibilities are not allocated.
Modified p. 7
4. Analyze any changes to the IMPACT of unauthorized access to account data 4.1 For the scope of system components that this solution covers what volume of account data would be at risk of unauthorized access if the solution failed? 4.1.1 Number of stored PANs Maximum at any one time 4.1.2 Number of PANs processed or transmitted over a 12-month period 4.2 Description of how the customized controls will directly:
4. Analyze any changes to the IMPACT of unauthorized access to PANs 4.1 For the scope of system components that this solution covers what volume of PANs would be at risk of unauthorized access if the solution failed? 4.1.1 Number of stored PANs Maximum at any one time 4.1.2 Number of PANs processed or transmitted over a 12-month period 4.2 Description of how the customized controls will directly: