Document Comparison
PCI-DSS-v4-0-ROC-Template-FAQs-r1.pdf
→
PCI-DSS-v4-x-ROC-Template-FAQs-r2.pdf
67% similar
15 → 12
Pages
4111 → 3818
Words
28
Content Changes
From Revision History
- August 2024 ©2006 - 2024 PCI Security Standards Council, LLC. All Rights Reserved.
Content Changes
28 content changes. 17 administrative changes (dates, page numbers) hidden.
Added
p. 2
1. Overview of PCI DSS v4.x Reporting 1.1 What has changed in the PCI DSS v4.x ROC Template? Refer to the following documents for details:
• PCI DSS ROC Template Summary of Changes from ROC Template v4.0 to v4.0.1.
• Frequently Asked Questions r1 (for updates to the PCI DSS v4.0 ROC Template).
2. ROC Reporting Features for PCI DSS v4.x 2.1 What is the purpose of Section 1.7: Overall Assessment Result? The Overall Assessment Result ROC section is to document the overall status of a PCI DSS assessment, based on findings noted in the Assessment Findings for each PCI DSS requirement. The Overall Assessment Result table below is excerpted from the PCI DSS v4.x ROC Template:
Requirement Description 1.1 Example Requirement Description
PCI DSS Requirement 1.1.1 Example Requirement Assessment Findings (select one) Select If below Method(s) Was Used In Place Not Applicable Not Tested Not in Place Compensating Control* Customized Approach* ☐ ☐ ☐ …
• PCI DSS ROC Template Summary of Changes from ROC Template v4.0 to v4.0.1.
• Frequently Asked Questions r1 (for updates to the PCI DSS v4.0 ROC Template).
2. ROC Reporting Features for PCI DSS v4.x 2.1 What is the purpose of Section 1.7: Overall Assessment Result? The Overall Assessment Result ROC section is to document the overall status of a PCI DSS assessment, based on findings noted in the Assessment Findings for each PCI DSS requirement. The Overall Assessment Result table below is excerpted from the PCI DSS v4.x ROC Template:
Requirement Description 1.1 Example Requirement Description
PCI DSS Requirement 1.1.1 Example Requirement Assessment Findings (select one) Select If below Method(s) Was Used In Place Not Applicable Not Tested Not in Place Compensating Control* Customized Approach* ☐ ☐ ☐ …
Modified
p. 1
PCI DSS v4.x Report on Compliance Template - Frequently Asked Questions Revision 1
PCI DSS v4.x Report on Compliance Template - Frequently Asked Questions Revision 2
Removed
p. 2
1. What has changed in the PCI DSS v4.x ROC Template? ROC Section Description of Change Throughout Updates to reflect changes in PCI DSS v4.x Updates to improve clarity and reduce redundancy Separated the ROC into three parts:
• ROC Template Instructions
• instructional content that is used to complete the ROC. This part can optionally be deleted prior to releasing the final report
• Part I: Assessment Overview
• Part II: Findings and Observations and Appendices In parts I and II minor modifications are allowed, such as increasing/decreasing the number of rows or to change the column width; however, deletion of content is not allowed.
Use of reference numbers in the Summary Overview/Findings and Observations is no longer optional. There is also the option to identify items in the response in the Findings and Observations section in addition to the reference number.
Updated Summary of Assessment Findings (aligns with new checkboxes within the Findings and …
• ROC Template Instructions
• instructional content that is used to complete the ROC. This part can optionally be deleted prior to releasing the final report
• Part I: Assessment Overview
• Part II: Findings and Observations and Appendices In parts I and II minor modifications are allowed, such as increasing/decreasing the number of rows or to change the column width; however, deletion of content is not allowed.
Use of reference numbers in the Summary Overview/Findings and Observations is no longer optional. There is also the option to identify items in the response in the Findings and Observations section in addition to the reference number.
Updated Summary of Assessment Findings (aligns with new checkboxes within the Findings and …
Removed
p. 2
• Removed “In Place with Remediation” as a reporting option from the Summary of Assessment Findings.
Modified
p. 2
• PCI DSS v4.x ROC Template
Removed
p. 3
• Removed “In Place with Remediation” as an Assessment Finding.
Added Instructions for Assessment Approach Reporting Options Aligned the Reporting Instruction Terms for consistency with other PCI standards:
• Describe Part I: Assessment Overview Added a customizable title page Updated the Overall Assessment Results to align with the AOC
• Full/Partial Assessment
1. Indicate whether a Full Assessment or a Partial Assessment was completed.
• Overall Assessment Result descriptions (Same three options exist in the AOC of PCI DSS v3.2.1)
1. Compliant 2. Compliant but with Legal Exception 3. Non- Compliant
• Removed “In Place with Remediation” from Overall Assessment Results.
Added following sections:
• Remote Assessment Activities
• Use of Subcontractors
• Additional Information/Reporting
• Overall Assessment Result
• Attestation Signatures
• Quarterly Internal Scan Results Added Section 6 Evidence (Assessment Workpapers)
• Added a column for assessor documentation to tables 6.3 and 6.4.
Added Instructions for Assessment Approach Reporting Options Aligned the Reporting Instruction Terms for consistency with other PCI standards:
• Describe Part I: Assessment Overview Added a customizable title page Updated the Overall Assessment Results to align with the AOC
• Full/Partial Assessment
1. Indicate whether a Full Assessment or a Partial Assessment was completed.
• Overall Assessment Result descriptions (Same three options exist in the AOC of PCI DSS v3.2.1)
1. Compliant 2. Compliant but with Legal Exception 3. Non- Compliant
• Removed “In Place with Remediation” from Overall Assessment Results.
Added following sections:
• Remote Assessment Activities
• Use of Subcontractors
• Additional Information/Reporting
• Overall Assessment Result
• Attestation Signatures
• Quarterly Internal Scan Results Added Section 6 Evidence (Assessment Workpapers)
• Added a column for assessor documentation to tables 6.3 and 6.4.
Removed
p. 4
• Connected entities for payment processing and transmission
• Other business entities that require compliance with the PCI DSS
• Managed service providers Updated, merged, and/or moved sections to reduce redundancy, add clarity, and/or improve readability Part II: Findings and Observations Reporting updated to facilitate reporting for defined approach, customized approach, or a combination of the two Updated the reporting to focus more on referencing evidence for the defined approach Added a narrative for each requirement to explain why the assessment finding was selected. Specific instructions for each assessment finding are found in the “Required Reporting” column in the Assessment Findings section in ROC Template Instructions
• Removed “In Place with Remediation” as a reporting option from each requirement in Part II: Findings and Observations.
Appendices Minor updates to Compensating Controls Worksheet
• Clarified instructions at the start of Appendix C.
Addition of Customized Approach Template
• Clarified instructions at the start of Appendix D.
• Other business entities that require compliance with the PCI DSS
• Managed service providers Updated, merged, and/or moved sections to reduce redundancy, add clarity, and/or improve readability Part II: Findings and Observations Reporting updated to facilitate reporting for defined approach, customized approach, or a combination of the two Updated the reporting to focus more on referencing evidence for the defined approach Added a narrative for each requirement to explain why the assessment finding was selected. Specific instructions for each assessment finding are found in the “Required Reporting” column in the Assessment Findings section in ROC Template Instructions
• Removed “In Place with Remediation” as a reporting option from each requirement in Part II: Findings and Observations.
Appendices Minor updates to Compensating Controls Worksheet
• Clarified instructions at the start of Appendix C.
Addition of Customized Approach Template
• Clarified instructions at the start of Appendix D.
Modified
p. 5 → 2
ASSESSMENT APPROACH WHEN TO USE THIS APPROACH Customized Approach (New option) Focuses on the Customized Approach Objective of each PCI DSS Requirement (if applicable), allowing entities to implement controls to meet the requirement’s stated Customized Approach Objective in a way that does not strictly follow the defined requirement. The customized approach supports innovation in security practices, allowing entities greater flexibility to show how their current security controls meet PCI DSS requirements. Refer to the PCI DSS Requirements and Testing Procedures …
ASSESSMENT APPROACH WHEN TO USE THIS APPROACH Customized Approach Focuses on the Customized Approach Objective of each PCI DSS Requirement (if applicable), allowing entities to implement controls to meet the requirement’s stated Customized Approach Objective in a way that does not strictly follow the defined requirement. The customized approach supports innovation in security practices, allowing entities greater flexibility to show how their current security controls meet PCI DSS requirements. Refer to the PCI DSS Requirements and Testing Procedures v4.x for …
Removed
p. 6
2. New ROC Reporting Features for PCI DSS v4.x 2.1 What is the purpose of Section 1.7: Overall Assessment Result? Overall Assessment Result is a new ROC section to provide the overall status of a PCI DSS assessment, based on findings noted in the Assessment Findings for each PCI DSS requirement. The Overall Assessment Result table below is excerpted from the PCI DSS v4.x ROC Template:
Modified
p. 7 → 4
These results are summarized in new Section 1.8 Summary of Assessment.
These results are summarized in Section 1.8 Summary of Assessment.
Modified
p. 7 → 4
Here is an excerpt from Part II: Findings and Observations that shows the headings and reporting options:
Here is sample layout of Part II: Section 7 Findings and Observations that shows the headings and reporting options:
Removed
p. 8
• Not in Place 2.4 What is the purpose of section 1.9 Attestation Signatures? The attestation signatures section is intended to emphasize to the assessor the importance of conducting an independent, fact-based assessment that is complete and accurate to the best of the assessor’s knowledge and to capture such acknowledgement by the assessor for PCI SSC quality assurance purposes. This section does not change the intended audience or distribution methods for the ROC.
4. Assessment Findings 4.1 When determining which one of the summary findings is appropriate for a sub-requirement, is there any more guidance available on those options beyond what is in the “Introduction to the ROC Template” section of the ROC Template for PCI DSS v4.x? The following table is a supplement to the explanation provided within the ROC Template for PCI DSS v4.x. Only one response should be selected at the sub-requirement.
4. Assessment Findings 4.1 When determining which one of the summary findings is appropriate for a sub-requirement, is there any more guidance available on those options beyond what is in the “Introduction to the ROC Template” section of the ROC Template for PCI DSS v4.x? The following table is a supplement to the explanation provided within the ROC Template for PCI DSS v4.x. Only one response should be selected at the sub-requirement.
Modified
p. 9 → 6
3. New ROC Reporting Options for PCI DSS v4.x Explained 3.1 Why have Full Assessment and Partial Assessment been added to the ROC Template? These reporting options have been added to provide better transparency in reporting. When an entity undergoes a Full Assessment, all PCI DSS requirements have been considered and no requirements are marked as Not Tested. When an entity undergoes a Partial Assessment, only a subset of PCI DSS requirements has been considered and one or more requirements …
3. ROC Reporting Options for PCI DSS v4.x 3.1 What is the difference between the Full Assessment and Partial Assessment options in the ROC Template? When an entity undergoes a Full Assessment, all PCI DSS requirements have been considered and no requirements are marked as Not Tested. When an entity undergoes a Partial Assessment, only a subset of PCI DSS requirements has been considered and one or more requirements are marked as Not Tested. Refer to question 4.2 below “What …
Modified
p. 10 → 7
• An organization may be asked by their acquirer or brand to validate a subset of requirements
•for example, using theprioritized approach to validate certain milestones.
•for example, using the
• An organization may be asked by their acquirer or brand to validate a subset of requirements
•for example, using the PCI DSS Prioritized Approach to address only certain milestones.
•for example, using the PCI DSS Prioritized Approach to address only certain milestones.
Modified
p. 10 → 7
• A service provider organization might offer a service that covers only a limited number of PCI DSS requirements
•for example, a physical storage provider may wantonly to validate the physical security controls per PCI DSS Requirement 9 for their storage facility.
•for example, a physical storage provider may want
• A service provider organization might offer a service that covers only a limited number of PCI DSS requirements
•for example, a physical storage provider may want to validate only the physical security controls per PCI DSS Requirement 9 for their storage facility.
•for example, a physical storage provider may want to validate only the physical security controls per PCI DSS Requirement 9 for their storage facility.
Modified
p. 10 → 7
In these scenarios, the organization wants only to validate certain PCI DSS requirements, even though other requirements might also apply to their environment. The resulting AOC(s) must be clear in what was tested and not tested.
In these scenarios, the organization wants to validate only certain PCI DSS requirements, even though other requirements might also apply to their environment.
Modified
p. 11 → 8
• A service provider organization offers a service that covers only a limited number of PCI DSS requirements-for example, a physical storage provider that only wishes to validate the physical security controls per PCI DSS Requirement 9 for their storage facility.
• A service provider organization offers a service that covers only a limited number of PCI DSS requirements-for example, a physical storage provider that wants to validate only the physical security controls per PCI DSS Requirement 9 for their storage facility.
Modified
p. 11 → 8
• Acquirer asking for a report on a subset of requirements (for example, the prioritized approach).
• Acquirer asks for a report only covering a subset of requirements (for example, using the PCI DSS Prioritized Approach).
Modified
p. 11 → 8
Testing Assessor performs the appropriate testing and validation on all requirements. Any PCI DSS requirement where testing verifies the non- applicability of that requirement is marked as Not Applicable, which would result in a Full Assessment*. *By definition, no requirements are marked as “Not Tested”.
Testing Assessor performs the appropriate testing and validation on all requirements. Any PCI DSS requirement where testing verifies the non- applicability of that requirement is marked as Not Applicable, which would NOT result in a Partial Assessment.
Modified
p. 11 → 8
Assessor only validates the physical security controls per PCI DSS Requirement 9. The remaining requirements are marked as Not Tested which would result in a Partial Assessment.
Assessor performs appropriate testing and validation only for the specified requirements. The remaining requirements are marked as Not Tested, which would result in a Partial Assessment.
Modified
p. 12 → 9
5. General Questions 5.1 Is use of the ROC Template for PCI DSS v4.x mandatory? The PCI DSS ROC Template is mandatory for QSAs to use for official reporting of a PCI DSS assessment. Requirements for ISAs and reporting should be discussed with the brands and/or acquirers accepting the Report on Compliance. For official reporting of a PCI DSS v4.0 assessment by a QSA, the ROC Template must be completed, with all response sections completed (even if to note that …
5. General Questions 5.1 Is use of the ROC Template for PCI DSS v4.x mandatory? Yes. The PCI DSS ROC Template is mandatory for QSAs to use when documenting a detailed PCI DSS assessment (as contrasted with a less detailed PCI DSS self-assessment documented in a Self-Assessment Questionnaire (SAQ)). All response sections in the ROC Template must be completed (even if to note that sections or requirements are not applicable). Reporting requirements for ISAs should be discussed with the brands …
Modified
p. 12 → 9
Other changes must be minimal and the format of the ROC Template for PCI DSS v4.x must remain unchanged. This includes reordering of sections, which is NOT allowed. Nothing is permitted to be removed from Parts I and II of the document, including sections or requirements
Other changes must be minimal and the format of the ROC Template for PCI DSS v4.x must remain unchanged. This includes reordering of sections, which is NOT allowed. Nothing is permitted to be removed from Parts I and II of the document, including sections or requirements determined to be not applicable. Those sections and/or requirements must remain in the completed ROC Template with the “Not Applicable” result documented instead. Edits to the footers are explicitly not allowed.
Removed
p. 13
• QSAs must ensure there is reasonable distinction between the content has been added by the QSA and is not part of the published PCI SSC document.
Modified
p. 13 → 10
• Removal of ROC Template Instructions The following changes are prohibited:
• Removal of the ROC Template PCI SSC cover page, the Document Changes table, the ROC Template Table of Contents, and ROC Template Instructions The following changes are prohibited:
Modified
p. 13 → 10
• All additions should be considered carefully, and such content should be added only to the customizable title page of the document.
• Ensure that any content added by the QSA is clearly distinguishable from the content that is part of the published PCI SSC document. All additions should be considered carefully, and such content should be added only to the customizable title page of the document.
Modified
p. 13 → 10
• Accepting entities (Payment Brands and/or Acquirers) may choose not to accept any report that has changes to the ROC Template they believe are unacceptable.
• The entities to which a ROC is submitted (payment brands and/or acquirers) may choose not to accept any report that has changes to the ROC Template they believe are unacceptable.
Modified
p. 14 → 11
• After the table of contents at the beginning of the document, the following disclaimer must be included in both in English and the translated language: "Note
•This document (the "Translation") is an unofficial, <<final language>> language translation of the original English language version provided herewith ("Official Version"). The Translation has been prepared by <<QSA Company>>, and PCI SSC has not had any involvement in and does not endorse the Translation. <QSA Company> hereby certifies that it has made all attempts …
•This
• This document (the "Translation") is an unofficial, <<final language>> language translation of the original English language version provided herewith ("Official Version"). The Translation has been prepared by <<QSA Company>>, and PCI SSC has not had any involvement in and does not endorse the Translation. <QSA Company> hereby certifies that it has made all attempts to ensure that the Translation accurately, completely, and truly reflects the Official Version in form and substance. <<QSA Company>> is and shall be solely responsible …
Modified
p. 15 → 12
6. Cardholder data storage 6.1 My client feels that inclusion of the cardholder data storage table in the completed ROC puts too much sensitive data into one document. How can I address their concerns, but complete the ROC Template appropriately? In this case, it may make sense to put a document reference in the ROC Template at 4.3 for the QSA to attest that the cardholder data storage has been documented according to 4.3 and identify where in the work …
6. Account data storage 6.1 My client feels that the Storage of Account Data table in the completed ROC combines a lot of sensitive data into one document. How can I address their concerns, but complete the ROC Template appropriately? It is acceptable in the ROC Template at 4.3 for the QSA to attest that the storage of account data has been separately documented according to 4.3 and to include a document reference to identify where in the work papers …