Document Comparison
PCI-DSS-v3-2-1-DESV-S-ROC-Template-r2.pdf
→
PCI-DSS-v4-0-DESV-S-ROC-Template-r1.pdf
38% similar
23 → 39
Pages
7705 → 8530
Words
128
Content Changes
From Revision History
- June 2015 For use with PCI DSS v3.1 Revision 1.0
- December 2018 For use with PCI DSS v3.2.1 Revision 1.0
- June 2022 For use with PCI DSS v4.0 To update the template to align with PCI DSS v4.0.
- December 2022 For use with PCI DSS v4.0 Revision 1
- December 2022 © 2006 - 2022 PCI Security Standards Council, LLC. All Rights Reserved. Page 2
- December 2022 © 2006 - 2022 PCI Security Standards Council, LLC. All Rights Reserved. Page 3
- December 2022 © 2006 - 2022 PCI Security Standards Council, LLC. All Rights Reserved. Page 4
- December 2022 © 2006 - 2022 PCI Security Standards Council, LLC. All Rights Reserved. Page 5
- December 2022 © 2006 - 2022 PCI Security Standards Council, LLC. All Rights Reserved. Page 6
Content Changes
128 content changes. 51 administrative changes (dates, page numbers) hidden.
Added
p. 1
Payment Card Industry Data Security Standard
Added
p. 3
This “Supplemental ROC Template” or “S-ROC” is to be completed according to the same instructions provided in the PCI DSS v4.0 Report on Compliance (ROC) Template. Refer to the PCI DSS v4.0 ROC Template and the PCI DSS v4.x Report on Compliance Template
• Frequently Asked Questions documents on the PCI SSC website for detailed instructions on how to complete these reporting templates. Do not delete any content from any place in this document, including this section and the versioning above. Excessive personalization and changes to sections
• Frequently Asked Questions documents on the PCI SSC website for detailed instructions on how to complete these reporting templates. Do not delete any content from any place in this document, including this section and the versioning above. Excessive personalization and changes to sections
Added
p. 4
DESV Requirement Assessment Finding Select all options that apply.
Select If Below Method Was In Place Not Applicable Not in Place Compensating Control Requirement A3.1: ☐ ☐ ☐ ☐ Requirement A3.2: ☐ ☐ ☐ ☐ Requirement A3.3: ☐ ☐ ☐ ☐ Requirement A3.4: ☐ ☐ ☐ ☐ Requirement A3.5: ☐ ☐ ☐ ☐ In the sections below, identify the DESV requirements with the following results and assessment method. If there are none, enter “Not Applicable.” Note: Natural grouping of requirements is allowed (for example, Req. A3.1.1, A3.1.2, A3.1.3, or A3.1.1 through A3.1.4, etc.) to reduce the number of individual requirements listed.
Not Applicable Not in Place Due to a Legal Restriction Not in Place Not Due to a Legal Restriction Compensating Control <Enter Response Here> <Enter Response Here> <Enter Response Here> <Enter Response Here>
Select If Below Method Was In Place Not Applicable Not in Place Compensating Control Requirement A3.1: ☐ ☐ ☐ ☐ Requirement A3.2: ☐ ☐ ☐ ☐ Requirement A3.3: ☐ ☐ ☐ ☐ Requirement A3.4: ☐ ☐ ☐ ☐ Requirement A3.5: ☐ ☐ ☐ ☐ In the sections below, identify the DESV requirements with the following results and assessment method. If there are none, enter “Not Applicable.” Note: Natural grouping of requirements is allowed (for example, Req. A3.1.1, A3.1.2, A3.1.3, or A3.1.1 through A3.1.4, etc.) to reduce the number of individual requirements listed.
Not Applicable Not in Place Due to a Legal Restriction Not in Place Not Due to a Legal Restriction Compensating Control <Enter Response Here> <Enter Response Here> <Enter Response Here> <Enter Response Here>
Added
p. 5
<Enter Response Here> 2 Findings and Observations Requirement Description A3.1 A PCI DSS compliance program is implemented.
PCI DSS Requirement A3.1.1 Responsibility is established by executive management for the protection of account data and a PCI DSS compliance program that includes:
• Providing updates to executive management and board of directors on PCI DSS compliance initiatives and issues, including remediation activities, at least once every 12 months. PCI DSS Reference: Requirement 12 Assessment Findings (select one) In Place Not Applicable Not in Place Describe why the assessment finding was selected. Note: Include all details as noted in the “Required Reporting” column of the table in Assessment Findings in the ROC Template Instructions.
PCI DSS Requirement A3.1.1 Responsibility is established by executive management for the protection of account data and a PCI DSS compliance program that includes:
• Providing updates to executive management and board of directors on PCI DSS compliance initiatives and issues, including remediation activities, at least once every 12 months. PCI DSS Reference: Requirement 12 Assessment Findings (select one) In Place Not Applicable Not in Place Describe why the assessment finding was selected. Note: Include all details as noted in the “Required Reporting” column of the table in Assessment Findings in the ROC Template Instructions.
Added
p. 6
Identify the evidence reference number(s) from Section 6 of the ROC Template for the company’s PCI DSS charter examined for this testing procedure.
Identify the evidence reference number(s) from Section 6 of the ROC Template for all executive management and board of directors meeting minutes and/or presentations examined for this testing procedure.
• A process for performing business-impact analysis to determine potential PCI DSS impacts for strategic business decisions. PCI DSS Reference: Requirements 1-12 Assessment Findings (select one) In Place Not Applicable Not in Place Describe why the assessment finding was selected. Note: Include all details as noted in the “Required Reporting” column of the table in Assessment Findings in the ROC Template Instructions.
Identify the evidence reference number(s) from Section 6 of the ROC Template for all executive management and board of directors meeting minutes and/or presentations examined for this testing procedure.
• A process for performing business-impact analysis to determine potential PCI DSS impacts for strategic business decisions. PCI DSS Reference: Requirements 1-12 Assessment Findings (select one) In Place Not Applicable Not in Place Describe why the assessment finding was selected. Note: Include all details as noted in the “Required Reporting” column of the table in Assessment Findings in the ROC Template Instructions.
Added
p. 8
<Enter Response Here> A3.1.2.b Interview personnel and observe compliance activities to verify that a formal PCI DSS compliance program is implemented in accordance with all elements specified in this requirement.
Added
p. 8
<Enter Response Here> Identify the evidence reference number(s) from Section 6 of the ROC Template for all observation(s) of compliance activities for this testing procedure.
• Managing business-impact analysis to determine potential PCI DSS impacts for strategic business decisions. PCI DSS Reference: Requirement 12 Assessment Findings (select one) In Place Not Applicable Not in Place Describe why the assessment finding was selected. Note: Include all details as noted in the “Required Reporting” column of the table in Assessment Findings in the ROC Template Instructions.
Validation Method
• Defined Approach Indicate whether a Compensating Control was used: ☐ Yes ☐ No If “Yes”, Identify the aspect(s) of the requirement where the Compensating Control(s) was used. Note: The use of Compensating Controls must also be documented Appendix C of the ROC Template.
• Managing business-impact analysis to determine potential PCI DSS impacts for strategic business decisions. PCI DSS Reference: Requirement 12 Assessment Findings (select one) In Place Not Applicable Not in Place Describe why the assessment finding was selected. Note: Include all details as noted in the “Required Reporting” column of the table in Assessment Findings in the ROC Template Instructions.
Validation Method
• Defined Approach Indicate whether a Compensating Control was used: ☐ Yes ☐ No If “Yes”, Identify the aspect(s) of the requirement where the Compensating Control(s) was used. Note: The use of Compensating Controls must also be documented Appendix C of the ROC Template.
Added
p. 10
PCI DSS Requirement A3.1.4 Up-to-date PCI DSS and/or information security training is provided at least once every 12 months to personnel with PCI DSS compliance responsibilities (as identified in A3.1.3). PCI DSS Reference: Requirement 12 Assessment Findings (select one) In Place Not Applicable Not in Place Describe why the assessment finding was selected. Note: Include all details as noted in the “Required Reporting” column of the table in Assessment Findings in the ROC Template Instructions.
<Enter Response Here> Identify the evidence reference number(s) from Section 6 of the ROC Template for all certificates of attendance or other records examined for this testing procedure.
<Enter Response Here> Identify the evidence reference number(s) from Section 6 of the ROC Template for all certificates of attendance or other records examined for this testing procedure.
Added
p. 12
PCI DSS Requirement A3.2.1 PCI DSS scope is documented and confirmed for accuracy at least once every three months and upon significant changes to the in-scope environment. At a minimum, the scoping validation includes:
• Identifying all data flows for the various payment stages (for example, authorization, capture, settlement, chargebacks, and refunds) and acceptance channels (for example, card-present, card-not-present, and e-commerce).
• Updating all data-flow diagrams per Requirement 1.2.4.
• Identifying all locations where account data is stored, processed, and transmitted, including but not limited to 1) any locations outside of the currently defined CDE, 2) applications that process CHD, 3) transmissions between systems and networks, and 4) file backups.
• For any account data found outside of the currently defined CDE, either 1) securely delete it, 2) migrate it into the currently defined CDE, or 3) expand the currently defined CDE to include it.
• Identifying all system components in the CDE, connected to …
• Identifying all data flows for the various payment stages (for example, authorization, capture, settlement, chargebacks, and refunds) and acceptance channels (for example, card-present, card-not-present, and e-commerce).
• Updating all data-flow diagrams per Requirement 1.2.4.
• Identifying all locations where account data is stored, processed, and transmitted, including but not limited to 1) any locations outside of the currently defined CDE, 2) applications that process CHD, 3) transmissions between systems and networks, and 4) file backups.
• For any account data found outside of the currently defined CDE, either 1) securely delete it, 2) migrate it into the currently defined CDE, or 3) expand the currently defined CDE to include it.
• Identifying all system components in the CDE, connected to …
Added
p. 13
<Enter Response Here> A3.2.1.b Examine documented results of scope reviews occurring at least once every three months to verify that scoping validation includes all elements specified in this requirement.
Identify the evidence reference number(s) from Section 6 of the ROC Template for all documented results of scope reviews examined for this testing procedure.
• Documented sign-off of the results of the impact assessment by responsible personnel (as defined in A3.1.3). PCI DSS Reference: Scope of PCI DSS Requirements; Requirements 1-12 Assessment Findings (select one) In Place Not Applicable Not in Place Describe why the assessment finding was selected. Note: Include all details as noted in the “Required Reporting” column of the table in Assessment Findings in the ROC Template Instructions.
Identify the evidence reference number(s) from Section 6 of the ROC Template for all documented results of scope reviews examined for this testing procedure.
• Documented sign-off of the results of the impact assessment by responsible personnel (as defined in A3.1.3). PCI DSS Reference: Scope of PCI DSS Requirements; Requirements 1-12 Assessment Findings (select one) In Place Not Applicable Not in Place Describe why the assessment finding was selected. Note: Include all details as noted in the “Required Reporting” column of the table in Assessment Findings in the ROC Template Instructions.
Added
p. 15
Identify the evidence reference number(s) from Section 6 of the ROC Template for all change documentation examined for this testing procedure.
PCI DSS Requirement A3.2.2.1 Upon completion of a change, all relevant PCI DSS requirements are confirmed to be implemented on all new or changed systems and networks, and documentation is updated as applicable. PCI DSS Reference: Scope of PCI DSS Requirements; Requirement 1-12 Assessment Findings (select one) In Place Not Applicable Not in Place Describe why the assessment finding was selected. Note: Include all details as noted in the “Required Reporting” column of the table in Assessment Findings in the ROC Template Instructions.
Validation Method
• Defined Approach Indicate whether a Compensating Control was used: ☐ Yes ☐ No
PCI DSS Requirement A3.2.2.1 Upon completion of a change, all relevant PCI DSS requirements are confirmed to be implemented on all new or changed systems and networks, and documentation is updated as applicable. PCI DSS Reference: Scope of PCI DSS Requirements; Requirement 1-12 Assessment Findings (select one) In Place Not Applicable Not in Place Describe why the assessment finding was selected. Note: Include all details as noted in the “Required Reporting” column of the table in Assessment Findings in the ROC Template Instructions.
Validation Method
• Defined Approach Indicate whether a Compensating Control was used: ☐ Yes ☐ No
Added
p. 16
<Enter Response Here> Testing Procedures Reporting Instructions Reporting Details: Assessor’s Response A3.2.2.1 Examine change records and the affected systems/networks, and interview personnel to verify that all relevant PCI DSS requirements were confirmed to be implemented and documentation updated as part of the change.
Identify the evidence reference number(s) from Section 6 of the ROC Template for all change records examined for this testing procedure.
<Enter Response Here> Identify the evidence reference number(s) from Section 6 of the ROC Template for all affected systems/networks examined for this testing procedure.
PCI DSS Requirement A3.2.3 Changes to organizational structure result in a formal (internal) review of the impact to PCI DSS scope and applicability of controls. PCI DSS Reference: Requirement 12 Assessment Findings (select one) In Place Not Applicable Not in Place Describe why the assessment finding was selected. Note: Include all details as noted in the “Required Reporting” column of the table in Assessment Findings …
Identify the evidence reference number(s) from Section 6 of the ROC Template for all change records examined for this testing procedure.
<Enter Response Here> Identify the evidence reference number(s) from Section 6 of the ROC Template for all affected systems/networks examined for this testing procedure.
PCI DSS Requirement A3.2.3 Changes to organizational structure result in a formal (internal) review of the impact to PCI DSS scope and applicability of controls. PCI DSS Reference: Requirement 12 Assessment Findings (select one) In Place Not Applicable Not in Place Describe why the assessment finding was selected. Note: Include all details as noted in the “Required Reporting” column of the table in Assessment Findings …
Added
p. 19
Identify the evidence reference number(s) from Section 6 of the ROC Template for the results from the most recent penetration test examined for this testing procedure.
• Confirms PCI DSS scope.
• Addresses the potential for cleartext PAN to reside on systems and networks outside the currently defined CDE. PCI DSS Reference: Scope of PCI DSS Requirements Assessment Findings (select one) In Place Not Applicable Not in Place Describe why the assessment finding was selected. Note: Include all details as noted in the “Required Reporting” column of the table in Assessment Findings in the ROC Template Instructions.
<Enter Response Here> Testing Procedures Reporting Instructions Reporting Details: Assessor’s Response A3.2.5.a Examine the documented data-discovery methodology to verify it includes all elements specified in this requirement.
Identify the evidence reference number(s) from Section 6 of the ROC Template for the documented data-discovery methodology examined for this testing procedure.
<Enter Response Here> A3.2.5.b Examine results from recent data …
• Confirms PCI DSS scope.
• Addresses the potential for cleartext PAN to reside on systems and networks outside the currently defined CDE. PCI DSS Reference: Scope of PCI DSS Requirements Assessment Findings (select one) In Place Not Applicable Not in Place Describe why the assessment finding was selected. Note: Include all details as noted in the “Required Reporting” column of the table in Assessment Findings in the ROC Template Instructions.
<Enter Response Here> Testing Procedures Reporting Instructions Reporting Details: Assessor’s Response A3.2.5.a Examine the documented data-discovery methodology to verify it includes all elements specified in this requirement.
Identify the evidence reference number(s) from Section 6 of the ROC Template for the documented data-discovery methodology examined for this testing procedure.
<Enter Response Here> A3.2.5.b Examine results from recent data …
Added
p. 22
<Enter Response Here> Identify the evidence reference number(s) from Section 6 of the ROC Template for all documentation examined for this testing procedure.
Identify the evidence reference number(s) from Section 6 of the ROC Template for the results of effectiveness tests examined for this testing procedure.
• Identifying whether any track data is stored with the PANs.
Identify the evidence reference number(s) from Section 6 of the ROC Template for the results of effectiveness tests examined for this testing procedure.
• Identifying whether any track data is stored with the PANs.
Added
p. 24
Identify the evidence reference number(s) from Section 6 of the ROC Template for all documented response procedures examined for this testing procedure.
<Enter Response Here> Identify the evidence reference number(s) from Section 6 of the ROC Template for all records of response actions examined for this testing procedure.
• Generating audit logs and alerts upon detection of cleartext PAN leaving the CDE via an unauthorized channel, method, or process. PCI DSS Reference: Scope of PCI DSS Requirements, Requirement 12 Assessment Findings (select one) In Place Not Applicable Not in Place Describe why the assessment finding was selected. Note: Include all details as noted in the “Required Reporting” column of the table in Assessment Findings in the ROC Template Instructions.
<Enter Response Here> Testing Procedures Reporting Instructions Reporting Details: Assessor’s Response A3.2.6.a Examine documentation and observe implemented mechanisms to verify that the mechanisms are in accordance with all elements specified in this requirement.
<Enter Response …
<Enter Response Here> Identify the evidence reference number(s) from Section 6 of the ROC Template for all records of response actions examined for this testing procedure.
• Generating audit logs and alerts upon detection of cleartext PAN leaving the CDE via an unauthorized channel, method, or process. PCI DSS Reference: Scope of PCI DSS Requirements, Requirement 12 Assessment Findings (select one) In Place Not Applicable Not in Place Describe why the assessment finding was selected. Note: Include all details as noted in the “Required Reporting” column of the table in Assessment Findings in the ROC Template Instructions.
<Enter Response Here> Testing Procedures Reporting Instructions Reporting Details: Assessor’s Response A3.2.6.a Examine documentation and observe implemented mechanisms to verify that the mechanisms are in accordance with all elements specified in this requirement.
<Enter Response …
Added
p. 28
PCI DSS Requirement A3.3.1 Failures of critical security control systems are detected, alerted, and addressed promptly, including but not limited to failure of:
• Anti-malware solutions
• Automated audit log review mechanisms. This bullet is a best practice until 31 March 2025, after which they will be required as part of Requirement A3.3.1 and must be fully considered during a PCI DSS assessment.
• Automated code review tools (if used). This bullet is a best practice until 31 March 2025, after which they will be required as part of Requirement A3.3.1 and must be fully considered during a PCI DSS assessment. PCI DSS Reference: Requirements 1-12 Assessment Findings (select one) In Place Not Applicable Not in Place Describe why the assessment finding was selected. Note: Include all details as noted in the “Required Reporting” column of the table in Assessment Findings in the ROC Template Instructions.
<Enter Response Here> Testing Procedures Reporting Instructions Reporting …
• Anti-malware solutions
• Automated audit log review mechanisms. This bullet is a best practice until 31 March 2025, after which they will be required as part of Requirement A3.3.1 and must be fully considered during a PCI DSS assessment.
• Automated code review tools (if used). This bullet is a best practice until 31 March 2025, after which they will be required as part of Requirement A3.3.1 and must be fully considered during a PCI DSS assessment. PCI DSS Reference: Requirements 1-12 Assessment Findings (select one) In Place Not Applicable Not in Place Describe why the assessment finding was selected. Note: Include all details as noted in the “Required Reporting” column of the table in Assessment Findings in the ROC Template Instructions.
<Enter Response Here> Testing Procedures Reporting Instructions Reporting …
Added
p. 29
Identify the evidence reference number(s) from Section 6 of the ROC Template for all detection and alerting processes examined for this testing procedure.
• Resuming monitoring of security controls. PCI DSS Reference: Requirements 1-12 Assessment Findings (select one) In Place Not Applicable Not in Place Describe why the assessment finding was selected. Note: Include all details as noted in the “Required Reporting” column of the table in Assessment Findings in the ROC Template Instructions.
• Resuming monitoring of security controls. PCI DSS Reference: Requirements 1-12 Assessment Findings (select one) In Place Not Applicable Not in Place Describe why the assessment finding was selected. Note: Include all details as noted in the “Required Reporting” column of the table in Assessment Findings in the ROC Template Instructions.
Added
p. 31
Identify the evidence reference number(s) from Section 6 of the ROC Template for all records examined for this testing procedure.
PCI DSS Requirement A3.3.2 Hardware and software technologies are reviewed at least once every 12 months to confirm whether they continue to meet the organization’s PCI DSS requirements. PCI DSS Reference: Requirements 2, 6, 12.
PCI DSS Requirement A3.3.2 Hardware and software technologies are reviewed at least once every 12 months to confirm whether they continue to meet the organization’s PCI DSS requirements. PCI DSS Reference: Requirements 2, 6, 12.
Added
p. 33
Identify the evidence reference number(s) from Section 6 of the ROC Template for the results of the recent reviews examined for this testing procedure.
<Enter Response Here> A3.3.2.c Review documentation to verify that, for any technologies that have been determined to no longer meet the organization’s PCI DSS requirements, a plan is in place to remediate the technology.
• Retention of records and documentation for at least 12 months, covering all BAU activities. PCI DSS Reference: Requirements 1-12 Assessment Findings (select one) In Place Not Applicable Not in Place Describe why the assessment finding was selected. Note: Include all details as noted in the “Required Reporting” column of the table in Assessment Findings in the ROC Template Instructions.
Validation Method
• Defined Approach Indicate whether a Compensating Control was used: ☐ Yes ☐ No If “Yes”, Identify the aspect(s) of the requirement where the Compensating Control(s) was used. Note: The use of Compensating Controls …
<Enter Response Here> A3.3.2.c Review documentation to verify that, for any technologies that have been determined to no longer meet the organization’s PCI DSS requirements, a plan is in place to remediate the technology.
• Retention of records and documentation for at least 12 months, covering all BAU activities. PCI DSS Reference: Requirements 1-12 Assessment Findings (select one) In Place Not Applicable Not in Place Describe why the assessment finding was selected. Note: Include all details as noted in the “Required Reporting” column of the table in Assessment Findings in the ROC Template Instructions.
Validation Method
• Defined Approach Indicate whether a Compensating Control was used: ☐ Yes ☐ No If “Yes”, Identify the aspect(s) of the requirement where the Compensating Control(s) was used. Note: The use of Compensating Controls …
Added
p. 36
PCI DSS Requirement A3.4.1 User accounts and access privileges to in-scope system components are reviewed at least once every six months to ensure user accounts and access privileges remain appropriate based on job function, and that all access is authorized. PCI DSS Reference: Requirement 7 Assessment Findings (select one) In Place Not Applicable Not in Place Describe why the assessment finding was selected. Note: Include all details as noted in the “Required Reporting” column of the table in Assessment Findings in the ROC Template Instructions.
<Enter Response Here> Identify the evidence reference number(s) from Section 6 of the ROC Template for all documentation examined for this testing procedure.
<Enter Response Here> Identify the evidence reference number(s) from Section 6 of the ROC Template for all documentation examined for this testing procedure.
Added
p. 38
PCI DSS Requirement A3.5.1 A methodology is implemented for the prompt identification of attack patterns and undesirable behavior across systems that includes:
• Response to alerts in accordance with documented response procedures. PCI DSS Reference: Requirements 10, 12 Assessment Findings (select one) In Place Not Applicable Not in Place Describe why the assessment finding was selected. Note: Include all details as noted in the “Required Reporting” column of the table in Assessment Findings in the ROC Template Instructions.
Identify the evidence reference number(s) from Section 6 of the ROC Template for all incident response procedures examined for this testing procedure.
• Response to alerts in accordance with documented response procedures. PCI DSS Reference: Requirements 10, 12 Assessment Findings (select one) In Place Not Applicable Not in Place Describe why the assessment finding was selected. Note: Include all details as noted in the “Required Reporting” column of the table in Assessment Findings in the ROC Template Instructions.
Identify the evidence reference number(s) from Section 6 of the ROC Template for all incident response procedures examined for this testing procedure.
Modified
p. 1
PCI DSS v4.0 Supplemental Report on Compliance Template Designated Entities Supplemental Validation Revision 1
Removed
p. 3
This “Supplemental ROC Template” or “S-ROC” document is to be completed according to the same instructions provided in the Reporting Template for PCI DSS v3.2.1. Refer to the Reporting Template(s) for use with PCI DSS v3.2.1 and the ROC Reporting Template for PCI DSS v3.x: Frequently Asked Questions (FAQs) documents on the PCI SSC website for detailed instruction on how to complete these reporting templates. As such, do not delete any content from any place in this document, including this section and the versioning above. Excessive personalization and changes to sections
• including additional sections - may not be accepted by accepting entities, and personalization should be limited to the title page.
• including additional sections - may not be accepted by accepting entities, and personalization should be limited to the title page.
Modified
p. 3
The “S-ROC” template is an addendum to the ROC Reporting Template and is not intended to stand alone. Because of this, details related to Scope of Work, Details of Reviewed Environment and so on that are applicable to the environment reviewed for the S-ROC must be included in the applicable sections in the full ROC for that entity. For example, the list of interviewees in the full ROC should also include any persons interviewed during assessment of the PCI DSS …
The S-ROC template is an addendum to the ROC Template and is not intended to stand alone. Because of this, details related to Scope of Work, Details of Reviewed Environment, Remote Assessment Activities, and so on that are applicable to the environment reviewed for the S-ROC must be included in the applicable sections in the full ROC for that entity. For example, the list of evidence in the full ROC must also include any evidence reviewed during assessment of activities …
Removed
p. 4
PCI DSS Requirements and Testing Procedures Reporting Instruction Reporting Details: Assessor’s Response Summary of Assessment Findings A3.1 Implement a PCI DSS compliance program In Place In Place w/ CCW N/A A3.1.1 Executive management shall establish responsibility for the protection of cardholder data and a PCI DSS compliance program to include:
• Provide updates to executive management and board of directors on PCI DSS compliance initiatives and issues, including remediation activities, at least annually.
PCI DSS Reference: Requirement 12 A3.1.1.a Examine documentation to verify executive management has assigned overall accountability for maintaining the entity’s PCI DSS compliance.
Identify the company’s PCI DSS charter document(s) examined to verify the charter outlines the conditions under which the PCI DSS compliance program is organized.
Identify the sample of executive management and board of directors meeting minutes and/or presentations examined to ensure PCI DSS compliance initiatives and remediation activities are communicated at least annually.
• Provide updates to executive management and board of directors on PCI DSS compliance initiatives and issues, including remediation activities, at least annually.
PCI DSS Reference: Requirement 12 A3.1.1.a Examine documentation to verify executive management has assigned overall accountability for maintaining the entity’s PCI DSS compliance.
Identify the company’s PCI DSS charter document(s) examined to verify the charter outlines the conditions under which the PCI DSS compliance program is organized.
Identify the sample of executive management and board of directors meeting minutes and/or presentations examined to ensure PCI DSS compliance initiatives and remediation activities are communicated at least annually.
Modified
p. 4 → 5
• Overall accountability for maintaining PCI DSS compliance
• Overall accountability for maintaining PCI DSS compliance.
Modified
p. 4 → 5
• Defining a charter for a PCI DSS compliance program
• Defining a charter for a PCI DSS compliance program.
Modified
p. 4 → 6
<Enter Response Here> Testing Procedures Reporting Instructions Reporting Details: Assessor’s Response A3.1.1.a Examine documentation to verify executive management has assigned overall accountability for maintaining the entity’s PCI DSS compliance.
Modified
p. 4 → 6
<Enter Response Here> A3.1.1.b Examine the company’s PCI DSS charter to verify it outlines the conditions under which the PCI DSS compliance program is organized.
Modified
p. 4 → 6
<Enter Response Here> A3.1.1.c Examine executive management and board of directors meeting minutes and/or presentations to ensure PCI DSS compliance initiatives and remediation activities are communicated at least once every 12 months.
Removed
p. 5
• A process for performing business impact analyses to determine potential PCI DSS impacts for strategic business
PCI DSS Reference: Requirements 1-12 In Place w/ CCW N/A A3.1.2.a Examine information security policies and procedures to verify that processes are specifically defined for the following:
PCI DSS Reference: Requirements 1-12 In Place w/ CCW N/A A3.1.2.a Examine information security policies and procedures to verify that processes are specifically defined for the following:
Removed
p. 5
• Business impact analyses to determine potential PCI DSS impacts for strategic business decisions Identify the information security policies and procedures document(s) examined to verify that processes are specifically defined for the following:
Modified
p. 5 → 7
PCI DSS Requirements and Testing Procedures Reporting Instruction Reporting Details: Assessor’s Response Summary of Assessment Findings A3.1.2 A formal PCI DSS compliance program must be in place to include:
PCI DSS Requirement A3.1.2 A formal PCI DSS compliance program is in place that includes:
Modified
p. 5 → 7
• Definition of activities for maintaining and monitoring overall PCI DSS compliance, including business as usual activities
• Definition of activities for maintaining and monitoring overall PCI DSS compliance, including business-as-usual activities.
Modified
p. 5 → 7
• Annual PCI DSS assessment processes
• Annual PCI DSS assessment processes.
Modified
p. 5 → 7
• Processes for the continuous validation of PCI DSS requirements (for example: daily, weekly, quarterly, etc. as applicable per requirement).
• Processes for the continuous validation of PCI DSS requirements (for example, daily, weekly, every three months, as applicable per the requirement).
Modified
p. 5 → 9
• Maintaining and monitoring overall PCI DSS compliance, including business as usual activities
• Managing PCI DSS business-as-usual activities.
Modified
p. 5 → 9
• Annual PCI DSS assessment(s)
• Managing annual PCI DSS assessments.
Modified
p. 5 → 14
• Annual PCI DSS assessment(s)
• Performing a formal PCI DSS impact assessment.
Removed
p. 6
PCI DSS Requirements and Testing Procedures Reporting Instruction Reporting Details: Assessor’s Response Summary of Assessment Findings A3.1.2.b Interview personnel and observe compliance activities to verify that the defined processes are implemented for the following:
• Annual PCI DSS assessment(s)
• Annual PCI DSS assessment(s)
• Business impact analyses to determine potential PCI DSS impacts for strategic business decisions Identify the personnel interviewed who confirm that defined processes are implemented for:
• Business impact analyses to determine potential PCI DSS impacts for strategic business decisions <Report Findings Here> Describe how compliance activities were observed to verify that defined processes are implemented for the following:
• Maintaining and monitoring overall PCI DSS compliance, including business as usual activities <Report Findings Here>
• Annual PCI DSS assessment(s) <Report Findings Here>
• Continuous validation of PCI DSS requirements <Report Findings Here>
• Managing business impact analyses to determine potential PCI DSS impacts for strategic business decisions
• Annual PCI DSS assessment(s)
• Annual PCI DSS assessment(s)
• Business impact analyses to determine potential PCI DSS impacts for strategic business decisions Identify the personnel interviewed who confirm that defined processes are implemented for:
• Business impact analyses to determine potential PCI DSS impacts for strategic business decisions <Report Findings Here> Describe how compliance activities were observed to verify that defined processes are implemented for the following:
• Maintaining and monitoring overall PCI DSS compliance, including business as usual activities <Report Findings Here>
• Annual PCI DSS assessment(s) <Report Findings Here>
• Continuous validation of PCI DSS requirements <Report Findings Here>
• Managing business impact analyses to determine potential PCI DSS impacts for strategic business decisions
Modified
p. 6 → 9
PCI DSS Requirement A3.1.3 PCI DSS compliance roles and responsibilities are specifically defined and formally assigned to one or more personnel, including:
Modified
p. 6 → 9
• Managing continuous validation of PCI DSS requirements (for example: daily, weekly, quarterly, etc. as applicable per requirement)
• Managing continuous validation of PCI DSS requirements (for example, daily, weekly, every three months, as applicable per the requirement).
Modified
p. 6 → 14
• Managing PCI DSS business as usual activities
• Updating PCI DSS scope as appropriate.
Removed
p. 7
PCI DSS Requirements and Testing Procedures Reporting Instruction Reporting Details: Assessor’s Response Summary of Assessment Findings A3.1.3.a Examine information security policies and procedures and interview personnel to verify that roles and responsibilities are clearly defined and that duties are assigned to include at least the following:
Removed
p. 7
• Managing continuous validation of PCI DSS requirements (for example: daily, weekly, quarterly, etc. as applicable per requirement)
• Managing business impact analyses to determine potential PCI DSS impacts for strategic business decisions Identify the information security policies and procedures document(s) examined to verify that roles and responsibilities are clearly defined and that duties are assigned to include at least the following:
• Managing business impact analyses to determine potential PCI DSS impacts for strategic business decisions <Report Findings Here> Identify the personnel interviewed who confirm that roles and responsibilities are clearly defined and that duties are assigned to include at least the following:
Identify the personnel interviewed who confirm that they are familiar with and performing their designated PCI DSS compliance responsibilities.
<Report Findings Here> A3.1.4 Provide up-to-date PCI DSS and/or information security training at least annually to personnel with PCI DSS compliance responsibilities (as identified in A3.1.3).
Identify the information security policies and …
• Managing business impact analyses to determine potential PCI DSS impacts for strategic business decisions Identify the information security policies and procedures document(s) examined to verify that roles and responsibilities are clearly defined and that duties are assigned to include at least the following:
• Managing business impact analyses to determine potential PCI DSS impacts for strategic business decisions <Report Findings Here> Identify the personnel interviewed who confirm that roles and responsibilities are clearly defined and that duties are assigned to include at least the following:
Identify the personnel interviewed who confirm that they are familiar with and performing their designated PCI DSS compliance responsibilities.
<Report Findings Here> A3.1.4 Provide up-to-date PCI DSS and/or information security training at least annually to personnel with PCI DSS compliance responsibilities (as identified in A3.1.3).
Identify the information security policies and …
Modified
p. 7 → 10
<Enter Response Here> A3.1.3.b Interview responsible personnel and verify they are familiar with and performing their designated PCI DSS compliance responsibilities.
Modified
p. 7 → 11
<Enter Response Here> Testing Procedures Reporting Instructions Reporting Details: Assessor’s Response A3.1.4.a Examine information security policies and procedures to verify that PCI DSS and/or information security training is required at least once every 12 months for each role with PCI DSS compliance responsibilities.
Removed
p. 8
PCI DSS Requirements and Testing Procedures Reporting Instruction Reporting Details: Assessor’s Response Summary of Assessment Findings A3.1.4.b Interview personnel and examine certificates of attendance or other records to verify that personnel with PCI DSS compliance responsibility receive up-to-date PCI DSS and/or similar information security training at least annually.
<Report Findings Here> Identify the certificates of attendance or other records examined to verify that personnel with PCI DSS compliance responsibility receive up-to-date PCI DSS and/or similar information security training at least annually.
<Report Findings Here> A3.2 Document and validate PCI DSS scope In Place In Place w/ CCW N/A A3.2.1 Document and confirm the accuracy of PCI DSS scope at least quarterly and upon significant changes to the in-scope environment. At a minimum, the quarterly scoping validation should include:
• Identifying all in-scope networks and system components
• Identifying all out-of-scope networks and justification for networks being out of scope, including descriptions of all segmentation …
<Report Findings Here> Identify the certificates of attendance or other records examined to verify that personnel with PCI DSS compliance responsibility receive up-to-date PCI DSS and/or similar information security training at least annually.
<Report Findings Here> A3.2 Document and validate PCI DSS scope In Place In Place w/ CCW N/A A3.2.1 Document and confirm the accuracy of PCI DSS scope at least quarterly and upon significant changes to the in-scope environment. At a minimum, the quarterly scoping validation should include:
• Identifying all in-scope networks and system components
• Identifying all out-of-scope networks and justification for networks being out of scope, including descriptions of all segmentation …
Modified
p. 8 → 11
<Enter Response Here> A3.1.4.b Interview personnel and examine certificates of attendance or other records to verify that personnel with PCI DSS compliance responsibility receive up-to-date PCI DSS and/or similar information security training at least once every 12 months.
Modified
p. 8 → 12
• Identifying all connected entities (e.g. third party entities with access to the cardholder data environment (CDE))
• Identifying all connections to third-party entities with access to the CDE.
Modified
p. 8 → 13
<Enter Response Here> Testing Procedures Reporting Instructions Reporting Details: Assessor’s Response A3.2.1.a Examine documented results of scope reviews and interview personnel to verify that the reviews are performed: • At least once every three months.
Modified
p. 8 → 13
• After significant changes to the in- scope environment Identify the documented results of scope reviews examined to verify that the reviews are performed:
• After significant changes to the in- scope environment.
Removed
p. 9
PCI DSS Requirements and Testing Procedures Reporting Instruction Reporting Details: Assessor’s Response Summary of Assessment Findings A3.2.1.b Examine documented results of quarterly scope reviews to verify the following is performed:
• Identification of all in-scope networks and system components
• Identification of all out-of-scope networks and justification for networks being out of scope, including descriptions of all segmentation controls implemented
• Identification of all connected entities (e.g. third party entities with access to the CDE) Using the documented results of quarterly scope review identified at DE 2.1.a, describe how the documented results of quarterly scope reviews were observed to verify that the following is performed:
• Identification of all in-scope networks and system components <Report Findings Here>
• Identification of all out-of-scope networks and justification for networks being out of scope, including descriptions of all segmentation controls implemented <Report Findings Here>
• Identification of all in-scope networks and system components
• Identification of all out-of-scope networks and justification for networks being out of scope, including descriptions of all segmentation controls implemented
• Identification of all connected entities (e.g. third party entities with access to the CDE) Using the documented results of quarterly scope review identified at DE 2.1.a, describe how the documented results of quarterly scope reviews were observed to verify that the following is performed:
• Identification of all in-scope networks and system components <Report Findings Here>
• Identification of all out-of-scope networks and justification for networks being out of scope, including descriptions of all segmentation controls implemented <Report Findings Here>
Modified
p. 9 → 14
PCI DSS Requirement A3.2.2 PCI DSS scope impact for all changes to systems or networks is determined, including additions of new systems and new network connections. Processes include:
Modified
p. 9 → 14
• Identifying applicable PCI DSS requirements to the system or network
• Identifying applicable PCI DSS requirements to the system or network.
Removed
p. 10
PCI DSS Requirements and Testing Procedures Reporting Instruction Reporting Details: Assessor’s Response Summary of Assessment Findings A3.2.2 Examine change documentation and interview personnel to verify that for each change to systems or networks:
• A formal PCI DSS impact assessment was performed
• A formal PCI DSS impact assessment was performed
Removed
p. 10
• Sign-off by responsible personnel (as defined in A3.1.3) was obtained and documented Identify the change documentation examined to verify that for each change to systems or networks:
• A formal PCI DSS impact assessment was
• A formal PCI DSS impact assessment was
• Sign-off by responsible personnel (as defined in A3.1.3) was obtained and documented <Report Findings Here> Identify the personnel interviewed who confirm that for each change to systems or networks:
• Sign-off by responsible personnel (as defined in A3.1.3) was obtained and documented <Report Findings Here> A3.2.2.1 Upon completion of a change, all relevant PCI DSS requirements must be verified on all new or changed systems and networks, and documentation must be updated as applicable. Examples of PCI DSS requirements that should be verified include, but are not limited to:
• Updated network diagram to reflect changes
• Systems are configured per configuration standards, with all default passwords changed and unnecessary services …
• A formal PCI DSS impact assessment was
• A formal PCI DSS impact assessment was
• Sign-off by responsible personnel (as defined in A3.1.3) was obtained and documented <Report Findings Here> Identify the personnel interviewed who confirm that for each change to systems or networks:
• Sign-off by responsible personnel (as defined in A3.1.3) was obtained and documented <Report Findings Here> A3.2.2.1 Upon completion of a change, all relevant PCI DSS requirements must be verified on all new or changed systems and networks, and documentation must be updated as applicable. Examples of PCI DSS requirements that should be verified include, but are not limited to:
• Updated network diagram to reflect changes
• Systems are configured per configuration standards, with all default passwords changed and unnecessary services …
Removed
p. 11
PCI DSS Requirements and Testing Procedures Reporting Instruction Reporting Details: Assessor’s Response Summary of Assessment Findings A3.2.2.1 For a sample of systems and network changes, examine change records, interview personnel and observe the affected systems/networks to verify that applicable PCI DSS requirements were implemented and documentation updated as part of the change.
<Report Findings Here> For the sample of systems and network changes:
Identify the change records examined to verify that applicable PCI DSS requirements were implemented and documentation updated as part of the change.
<Report Findings Here> Identify the personnel interviewed who confirm that applicable PCI DSS requirements were implemented and documentation updated as part of the change.
<Report Findings Here> Describe how the affected systems/networks were observed to verify that applicable PCI DSS requirements were implemented and documentation updated as part of the change.
<Report Findings Here> A3.2.3 Changes to organizational structure (for example, a company merger or acquisition, change or reassignment of …
<Report Findings Here> For the sample of systems and network changes:
Identify the change records examined to verify that applicable PCI DSS requirements were implemented and documentation updated as part of the change.
<Report Findings Here> Identify the personnel interviewed who confirm that applicable PCI DSS requirements were implemented and documentation updated as part of the change.
<Report Findings Here> Describe how the affected systems/networks were observed to verify that applicable PCI DSS requirements were implemented and documentation updated as part of the change.
<Report Findings Here> A3.2.3 Changes to organizational structure (for example, a company merger or acquisition, change or reassignment of …
Modified
p. 11 → 17
<Enter Response Here> Testing Procedures Reporting Instructions Reporting Details: Assessor’s Response A3.2.3 Examine policies and procedures to verify that a change to organizational structure results in formal a review of the impact on PCI DSS scope and applicability of controls.
Modified
p. 11 → 18
• Penetration testing is performed on segmentation controls at least once every six months and after any changes to segmentation controls/methods.
Modified
p. 11 → 23
• Identifying the source of the data.
Removed
p. 12
PCI DSS Requirements and Testing Procedures Reporting Instruction Reporting Details: Assessor’s Response Summary of Assessment Findings A3.2.4 Examine the results from the most recent penetration test to verify that:
• Penetration testing to verify segmentation controls is performed at least every six months and after any changes to segmentation controls/methods,
• The penetration testing verifies that segmentation controls/methods are operational and effective, and isolate all out-of-scope systems from systems in the CDE.
• The penetration testing verifies that segmentation controls/methods are operational and effective, and isolate all out-of-scope systems from systems in the CDE.
Is segmentation in use? (yes/no) If no, mark the remainder of DE 2.4 as “not applicable.” <Report Findings Here> Identify the date of the most recent penetration test for which results are being examined.
<Report Findings Here> For the most recent penetration test, describe how examination of the results from the most recent penetration test verify that:
• Penetration testing to verify …
• Penetration testing to verify segmentation controls is performed at least every six months and after any changes to segmentation controls/methods,
• The penetration testing verifies that segmentation controls/methods are operational and effective, and isolate all out-of-scope systems from systems in the CDE.
• The penetration testing verifies that segmentation controls/methods are operational and effective, and isolate all out-of-scope systems from systems in the CDE.
Is segmentation in use? (yes/no) If no, mark the remainder of DE 2.4 as “not applicable.” <Report Findings Here> Identify the date of the most recent penetration test for which results are being examined.
<Report Findings Here> For the most recent penetration test, describe how examination of the results from the most recent penetration test verify that:
• Penetration testing to verify …
Modified
p. 12 → 18
• The penetration testing covers all segmentation controls/methods in use
• The penetration testing covers all segmentation controls/methods in use.
Modified
p. 12 → 19
• Locates all sources and locations of cleartext PAN at least once every three months and upon significant changes to the CDE or processes.
Modified
p. 12 → 19
PCI DSS Requirement A3.2.5 A data-discovery methodology is implemented that:
Removed
p. 13
PCI DSS Requirements and Testing Procedures Reporting Instruction Reporting Details: Assessor’s Response Summary of Assessment Findings A3.2.5.b Examine results from recent data discovery efforts, and interview responsible personnel to verify that data discovery is performed at least quarterly and upon significant changes to the cardholder environment or processes Describe the results from recent data discovery efforts examined to verify that data discovery is performed at least quarterly and upon significant changes to the cardholder environment or processes.
<Report Findings Here> Identify the personnel interviewed who confirm that data discovery is performed at least quarterly and upon significant changes to the cardholder environment or processes.
PCI DSS Reference: Scope of PCI DSS Requirements In Place w/ CCW N/A A3.2.5.1.a Interview personnel and review documentation to verify:
• The process includes verifying the methods are able to discover clear text PAN on all types of system components and file formats in use <Report Findings Here> …
<Report Findings Here> Identify the personnel interviewed who confirm that data discovery is performed at least quarterly and upon significant changes to the cardholder environment or processes.
PCI DSS Reference: Scope of PCI DSS Requirements In Place w/ CCW N/A A3.2.5.1.a Interview personnel and review documentation to verify:
• The process includes verifying the methods are able to discover clear text PAN on all types of system components and file formats in use <Report Findings Here> …
Modified
p. 13 → 21
PCI DSS Requirement A3.2.5.1 Data discovery methods are confirmed as follows:
Modified
p. 13 → 21
• The process includes verifying the methods are able to discover clear text PAN on all types of system components and file formats in use Identify the personnel interviewed who confirm that;
• Methods are able to discover cleartext PAN on all types of system components and file formats in use.
Modified
p. 13 → 22
• e.g. methods must be
• The process includes verifying the methods are able to discover cleartext PAN on all types of system components and file formats in use.
Modified
p. 13 → 22
• The entity has a process in place to test the effectiveness of methods used for data discovery
• The entity has a process in place to test the effectiveness of methods used for data discovery.
Modified
p. 13 → 22
<Enter Response Here> A3.2.5.1.b Examine the results of effectiveness tests to verify that the effectiveness of data-discovery methods is confirmed at least once every 12 months.
Removed
p. 14
PCI DSS Requirements and Testing Procedures Reporting Instruction Reporting Details: Assessor’s Response Summary of Assessment Findings A3.2.5.2 Implement response procedures to be initiated upon the detection of clear text PAN outside of the CDE to include:
Removed
p. 14
• Procedures for identifying if any track data is stored with the PANs In Place w/ CCW N/A A3.2.5.2.a Examine documented response procedures to verify that procedures for responding to the detection of clear text PAN outside of the CDE are defined and include:
• Procedures for determining what to do if clear text PAN is discovered outside of the CDE, including its retrieval, secure deletion and/or migration into the currently defined CDE, as applicable
• Procedures for determining what to do if clear text PAN is discovered outside of the CDE, including its retrieval, secure deletion and/or migration into the currently defined CDE, as applicable
• Procedures for determining how the data ended up outside the CDE
• Procedures for determining how the data ended up outside the CDE
• Procedures for identifying any other track data stored with the PANs Identify the response procedures document(s) examined to verify that procedures for responding to …
• Procedures for determining what to do if clear text PAN is discovered outside of the CDE, including its retrieval, secure deletion and/or migration into the currently defined CDE, as applicable
• Procedures for determining what to do if clear text PAN is discovered outside of the CDE, including its retrieval, secure deletion and/or migration into the currently defined CDE, as applicable
• Procedures for determining how the data ended up outside the CDE
• Procedures for determining how the data ended up outside the CDE
• Procedures for identifying any other track data stored with the PANs Identify the response procedures document(s) examined to verify that procedures for responding to …
Modified
p. 14 → 23
PCI DSS Requirement A3.2.5.2 Response procedures are implemented to be initiated upon the detection of cleartext PAN outside the CDE to include: Determining what to do if cleartext PAN is discovered outside the CDE, including its retrieval, secure deletion, and/or migration into the currently defined CDE, as applicable.
Modified
p. 14 → 23
• Procedures for determining how the data ended up outside of the CDE
• Determining how the data ended up outside the CDE.
Modified
p. 14 → 23
• Procedures for remediating data leaks or process gaps that resulted in the data being outside of the CDE
• Remediating data leaks or process gaps that resulted in the data being outside the CDE.
Modified
p. 14 → 24
<Enter Response Here> A3.2.5.2.b Interview personnel and examine records of response actions to verify that remediation activities are performed when cleartext PAN is detected outside the CDE.
Modified
p. 14 → 27
• Procedures for remediating data leaks or process gaps that resulted in the data being outside of the CDE
• Procedures for remediating data leaks or process gaps, as necessary, to prevent any data loss.
Removed
p. 15
PCI DSS Reference: Scope of PCI DSS Requirements In Place w/ CCW N/A A3.2.6.a Examine documentation and observe implemented mechanisms to verify that the mechanisms are:
Removed
p. 15
• Generating logs and alerts upon detection of clear text PAN leaving the CDE via an unauthorized channel, method or process Identify the document(s) examined to verify that mechanisms are:
• Configured to detect and prevent clear text PAN leaving the CDE via an unauthorized channel, method or process
• Configured to detect and prevent clear text PAN leaving the CDE via an unauthorized channel, method or process
• Generating logs and alerts upon detection of clear text PAN leaving the CDE via an unauthorized channel, method or process <Report Findings Here> Describe the implemented mechanisms observed to verify that mechanisms are:
Identify the audit logs and alerts(s) examined to verify that alerts are investigated.
<Report Findings Here> Identify the responsible personnel interviewed who confirm that alerts are investigated.
• Configured to detect and prevent clear text PAN leaving the CDE via an unauthorized channel, method or process
• Configured to detect and prevent clear text PAN leaving the CDE via an unauthorized channel, method or process
• Generating logs and alerts upon detection of clear text PAN leaving the CDE via an unauthorized channel, method or process <Report Findings Here> Describe the implemented mechanisms observed to verify that mechanisms are:
Identify the audit logs and alerts(s) examined to verify that alerts are investigated.
<Report Findings Here> Identify the responsible personnel interviewed who confirm that alerts are investigated.
Modified
p. 15 → 24
PCI DSS Requirements and Testing Procedures Reporting Instruction Reporting Details: Assessor’s Response Summary of Assessment Findings A3.2.6 Implement mechanisms for detecting and preventing clear text PAN from leaving the CDE via an unauthorized channel, method or process, including generation of audit logs and alerts.
PCI DSS Requirement A3.2.6 Mechanisms are implemented for detecting and preventing cleartext PAN from leaving the CDE via an unauthorized channel, method, or process, including mechanisms that are:
Modified
p. 15 → 24
• Configured to detect and prevent clear text PAN leaving the CDE via an unauthorized channel, method or process
• Configured to detect and prevent cleartext PAN leaving the CDE via an unauthorized channel, method, or process.
Modified
p. 15 → 25
<Enter Response Here> A3.2.6.b Examine audit logs and alerts, and interview responsible personnel to verify that alerts are investigated.
Modified
p. 15 → 26
PCI DSS Requirement A3.2.6.1 Response procedures are implemented to be initiated upon the detection of attempts to remove cleartext PAN from the CDE via an unauthorized channel, method, or process. Response procedures include:
Modified
p. 15 → 26
• Procedures for the timely investigation of alerts by responsible personnel
• Procedures for the prompt investigation of alerts by responsible personnel.
Removed
p. 16
• Procedures for the timely investigation of alerts by responsible personnel
• Procedures for the timely investigation of alerts by responsible personnel
• Procedures for remediating data leaks or process gaps, as necessary, to prevent any data loss Identify the response procedures document(s) examined to verify that procedures for responding to the attempted removal of clear text PAN from the CDE via an unauthorized channel, method or process include:
• Procedures for remediating data leaks or process gaps, as necessary, to prevent any data loss <Report Findings Here> A3.2.6.1.b Interview personnel and examine records of actions taken when clear text PAN is detected leaving the CDE via an unauthorized channel, method or process, and verify that remediation activities were performed Identify the personnel interviewed who confirm that when clear text PAN is detected leaving the CDE via an unauthorized channel, method or process, remediation activities are performed <Report Findings Here> Identify the records …
• Procedures for the timely investigation of alerts by responsible personnel
• Procedures for remediating data leaks or process gaps, as necessary, to prevent any data loss Identify the response procedures document(s) examined to verify that procedures for responding to the attempted removal of clear text PAN from the CDE via an unauthorized channel, method or process include:
• Procedures for remediating data leaks or process gaps, as necessary, to prevent any data loss <Report Findings Here> A3.2.6.1.b Interview personnel and examine records of actions taken when clear text PAN is detected leaving the CDE via an unauthorized channel, method or process, and verify that remediation activities were performed Identify the personnel interviewed who confirm that when clear text PAN is detected leaving the CDE via an unauthorized channel, method or process, remediation activities are performed <Report Findings Here> Identify the records …
Modified
p. 16 → 28
• physical access controls
• Physical access controls
Modified
p. 16 → 28
• logical access controls
• Logical access controls
Modified
p. 16 → 28
• audit logging mechanisms
• Audit logging mechanisms
Modified
p. 16 → 28
• segmentation controls (if used)
• Segmentation controls (if used)
Removed
p. 17
PCI DSS Requirements and Testing Procedures Reporting Instruction Reporting Details: Assessor’s Response Summary of Assessment Findings A3.3.1.a Examine documented policies and procedures to verify that processes are defined to immediately detect and alert on critical security control failures.
Identify the policies and procedures document(s) examined to verify that processes are defined to immediately detect and alert on critical security control failures.
Identify the detection and alerting process document(s) examined to verify that processes are implemented for all critical security controls, and that failure of a critical security control results in the generation of an alert.
<Report Findings Here> Identify the personnel interviewed who confirm that processes are implemented for all critical security controls, and that failure of a critical security control results in the generation of an alert.
Identify the policies and procedures document(s) examined to verify that processes are defined to immediately detect and alert on critical security control failures.
Identify the detection and alerting process document(s) examined to verify that processes are implemented for all critical security controls, and that failure of a critical security control results in the generation of an alert.
<Report Findings Here> Identify the personnel interviewed who confirm that processes are implemented for all critical security controls, and that failure of a critical security control results in the generation of an alert.
Modified
p. 17 → 28
• Resuming monitoring of security controls
• Network security controls
Modified
p. 17 → 29
<Enter Response Here> A3.3.1.b Examine detection and alerting processes, and interview personnel to verify that processes are implemented for all critical security controls specified in this requirement and that each failure of a critical security control results in the generation of an alert.
Modified
p. 17 → 30
PCI DSS Requirement A3.3.1.2 Failures of any critical security control systems are responded to promptly. Processes for responding to failures in security control systems include:
Modified
p. 17 → 30
• Restoring security functions
• Restoring security functions.
Modified
p. 17 → 30
• Identifying and documenting the duration (date and time start to end) of the security failure
• Identifying and documenting the duration (date and time from start to end) of the security failure.
Modified
p. 17 → 30
• Identifying and documenting cause(s) of failure, including root cause, and document remediation required to address root
• Identifying and documenting the cause(s) of failure, including root cause, and documenting remediation required to address the root cause.
Modified
p. 17 → 30
• Identifying and addressing any security issues that arose during the failure
• Identifying and addressing any security issues that arose during the failure.
Modified
p. 17 → 30
• Performing a risk assessment to determine if further actions are required as a result of the security failure
• Determining whether further actions are required as a result of the security failure.
Modified
p. 17 → 30
• Implementing controls to prevent cause of failure from reoccurring
• Implementing controls to prevent the cause of failure from reoccurring.
Removed
p. 18
PCI DSS Requirements and Testing Procedures Reporting Instruction Reporting Details: Assessor’s Response Summary of Assessment Findings A3.3.1.1.a Examine documented policies and procedures and interview personnel to verify processes are defined and implemented to respond to a security control failure, and include:
Removed
p. 18
• Resuming monitoring of security Identify the policies and procedures document(s) examined to verify that processes are defined and implemented to respond to a security control failure, and include:
• Identifying and documenting the duration (date and time start to end) of the security failure
• Identifying and documenting the duration (date and time start to end) of the security failure
• Resuming monitoring of security controls <Report Findings Here> Identify the personnel interviewed who confirm that processes are defined and implemented to respond to a security control failure, and include:
• Identifying and documenting cause(s) of failure, including root cause, and document remediation required to address root cause
• Identifying and documenting the duration (date and time start to end) of the security failure
• Identifying and documenting the duration (date and time start to end) of the security failure
• Resuming monitoring of security controls <Report Findings Here> Identify the personnel interviewed who confirm that processes are defined and implemented to respond to a security control failure, and include:
• Identifying and documenting cause(s) of failure, including root cause, and document remediation required to address root cause
Modified
p. 18 → 31
• Identifying and documenting the duration (date and time start to end) of the security failure
• Duration (date and time start and end) of the security failure.
Modified
p. 18 → 31
• Identifying and documenting cause(s) of failure, including root cause, and document remediation required to address root cause
• Identification of cause(s) of the failure, including root cause.
Modified
p. 18 → 31
• Identifying and documenting cause(s) of failure, including root cause, and document remediation required to address root cause
• Details of the remediation required to address the root cause.
Removed
p. 19
• Details of the remediation required to address the root cause Identify the records of security control failures examined to verify that security control failures are documented to include:
• Details of the remediation required to address the root cause <Report Findings Here> A3.3.2 Review hardware and software technologies at least annually to confirm whether they continue to meet the organization’s PCI DSS requirements. (For example, a review of technologies that are no longer supported by the vendor, and/or no longer meet the security needs of the organization.) The process includes a plan for remediating technologies that no longer meet the organization’s PCI DSS requirements, up to and including replacement of the technology, as appropriate.
PCI DSS Reference: Requirement 2, 6 In Place w/ CCW N/A A3.3.2.a Examine documented policies and procedures and interview personnel to verify processes are defined and implemented to review hardware and software technologies to confirm whether they …
• Details of the remediation required to address the root cause <Report Findings Here> A3.3.2 Review hardware and software technologies at least annually to confirm whether they continue to meet the organization’s PCI DSS requirements. (For example, a review of technologies that are no longer supported by the vendor, and/or no longer meet the security needs of the organization.) The process includes a plan for remediating technologies that no longer meet the organization’s PCI DSS requirements, up to and including replacement of the technology, as appropriate.
PCI DSS Reference: Requirement 2, 6 In Place w/ CCW N/A A3.3.2.a Examine documented policies and procedures and interview personnel to verify processes are defined and implemented to review hardware and software technologies to confirm whether they …
Modified
p. 19 → 31
<Enter Response Here> A3.3.1.2.b Examine records to verify that security control failures are documented to include:
Modified
p. 19 → 33
<Enter Response Here> A3.3.2.b Review the results of the recent reviews of hardware and software technologies to verify reviews are performed at least once every 12 months.
Removed
p. 20
PCI DSS Requirements and Testing Procedures Reporting Instruction Reporting Details: Assessor’s Response Summary of Assessment Findings A3.3.2.c For any technologies that have been determined to no longer meet the organization’s PCI DSS requirements, verify a plan is in place to remediate the technology.
Are there any technologies present that have been determined to no longer meet the organization’s PCI DSS requirements? (yes/no) If no, mark the remainder of DE 3.2.c as “not applicable.” <Report Findings Here> If yes, identify the technologies that have been determined to no longer meet the organization’s PCI DSS requirements and were verified to have a plan in place to remediate the technology.
• Retention of records and documentation, for at least 12 months, covering all BAU activities
Are there any technologies present that have been determined to no longer meet the organization’s PCI DSS requirements? (yes/no) If no, mark the remainder of DE 3.2.c as “not applicable.” <Report Findings Here> If yes, identify the technologies that have been determined to no longer meet the organization’s PCI DSS requirements and were verified to have a plan in place to remediate the technology.
• Retention of records and documentation, for at least 12 months, covering all BAU activities
Modified
p. 20 → 34
PCI DSS Requirement A3.3.3 Reviews are performed at least once every three months to verify BAU activities are being followed. Reviews are performed by personnel assigned to the PCI DSS compliance program (as identified in A3.1.3), and include:
Modified
p. 20 → 34
• Confirm that all BAU activities (e.g. A3.2.2, A3.2.6, and A3.3.1) are being performed
• Confirmation that all BAU activities, including A3.2.2, A3.2.6, and A3.3.1, are being performed.
Modified
p. 20 → 34
• Confirm that personnel are following security policies and operational procedures (for example, daily log reviews, firewall rule- set reviews, configuration standards for new systems, etc.)
• Confirmation that personnel are following security policies and operational procedures (for example, daily log reviews, ruleset reviews for network security controls, and configuration standards for new systems).
Modified
p. 20 → 34
• Document how the reviews were completed, including how all BAU activities were verified as being in place
• Documenting how the reviews were completed, including how all BAU activities were verified as being in place.
Modified
p. 20 → 34
• Collection of documented evidence as required for the annual PCI DSS assessment
• Collection of documented evidence as required for the annual PCI DSS assessment.
Modified
p. 20 → 34
• Review and sign off of results by personnel assigned responsibility for the PCI DSS compliance program (as identified in A3.1.3)
• Review and sign-off of results by personnel assigned responsibility for the PCI DSS compliance program, as identified in A3.1.3.
Removed
p. 21
PCI DSS Requirements and Testing Procedures Reporting Instruction Reporting Details: Assessor’s Response Summary of Assessment Findings A3.3.3.a Examine policies and procedures to verify that processes are defined for reviewing and verifying BAU activities. Verify the procedures include:
• Confirming that all BAU activities (e.g. A3.2.2, A3.2.6, and A3.3.1) are being performed
• Confirming that personnel are following security policies and operational procedures (for example, daily log reviews, firewall rule-set reviews, configuration standards for new systems, etc.)
• Confirming that personnel are following security policies and operational procedures (for example, daily log reviews, firewall rule-set reviews, configuration standards for new systems, etc.)
• Collecting documented evidence as required for the annual PCI DSS assessment
• Collecting documented evidence as required for the annual PCI DSS assessment
• Reviewing and sign off of results by executive management assigned responsibility for PCI DSS governance
• Reviewing and sign off of results by executive management assigned responsibility for PCI DSS governance
• …
• Confirming that all BAU activities (e.g. A3.2.2, A3.2.6, and A3.3.1) are being performed
• Confirming that personnel are following security policies and operational procedures (for example, daily log reviews, firewall rule-set reviews, configuration standards for new systems, etc.)
• Confirming that personnel are following security policies and operational procedures (for example, daily log reviews, firewall rule-set reviews, configuration standards for new systems, etc.)
• Collecting documented evidence as required for the annual PCI DSS assessment
• Collecting documented evidence as required for the annual PCI DSS assessment
• Reviewing and sign off of results by executive management assigned responsibility for PCI DSS governance
• Reviewing and sign off of results by executive management assigned responsibility for PCI DSS governance
• …
Modified
p. 21 → 35
<Enter Response Here> A3.3.3.b Interview responsible personnel and examine records of reviews to verify that:
Modified
p. 21 → 35
• Reviews are performed by personnel assigned to the PCI DSS compliance program
• Reviews are performed by personnel assigned to the PCI DSS compliance program.
Modified
p. 21 → 35
• Reviews are performed at least quarterly Identify the responsible personnel interviewed who confirm that:
• Reviews are performed at least once every three months.
Removed
p. 22
PCI DSS Requirements and Testing Procedures Reporting Instruction Reporting Details: Assessor’s Response Summary of Assessment Findings A3.4 Control and manage logical access to the cardholder data environment. In Place In Place w/ CCW N/A A3.4.1 Review user accounts and access privileges to in-scope system components at least every six months to ensure user accounts and access remain appropriate, based on job function, and authorized.
PCI DSS Reference: Requirement 7 A3.4.1 Interview responsible personnel and examine supporting documentation to verify that:
• Reviews confirm that access is appropriate based on job function, and that all access is authorized <Report Findings Here> Identify the supporting document(s) examined to verify that:
• Reviews confirm that access is appropriate based on job function, and that all access is authorized <Report Findings Here> A3.5 Identify and respond to suspicious events. In Place In Place w/ CCW N/A A3.5.1 Implement a methodology for the timely identification of attack patterns …
PCI DSS Reference: Requirement 7 A3.4.1 Interview responsible personnel and examine supporting documentation to verify that:
• Reviews confirm that access is appropriate based on job function, and that all access is authorized <Report Findings Here> Identify the supporting document(s) examined to verify that:
• Reviews confirm that access is appropriate based on job function, and that all access is authorized <Report Findings Here> A3.5 Identify and respond to suspicious events. In Place In Place w/ CCW N/A A3.5.1 Implement a methodology for the timely identification of attack patterns …
Modified
p. 22 → 37
• User accounts and access privileges are reviewed at least every six months
• User accounts and access privileges are reviewed at least every six months.
Modified
p. 22 → 37
• Reviews confirm that access is appropriate based on job function, and that all access is authorized Identify the personnel interviewed who confirm that:
• Reviews confirm that access is appropriate based on job function and that all access is authorized.
Modified
p. 22 → 38
• Identification of anomalies or suspicious activity as they occur
• Identification of anomalies or suspicious activity as it occurs.
Modified
p. 22 → 38
• Issuance of timely alerts upon detection of suspicious activity or anomaly to responsible personnel
• Issuance of prompt alerts upon detection of suspicious activity or anomaly to responsible personnel.
Modified
p. 22 → 39
• Response to alerts in accordance with documented response procedures
• Alerts are responded to per documented response procedures.
Removed
p. 23
• Issuance of timely alerts to responsible
• Response to alerts in accordance with documented response procedures Identify the policies and procedures document(s) examined to verify that a methodology is defined and implemented to identify attack patterns and undesirable behavior across systems in a timely manner, and includes the following:
• Issuance of timely alerts to responsible personnel
• Issuance of timely alerts to responsible personnel
• Response to alerts in accordance with documented response procedures <Report Findings Here> Identify the personnel interviewed who confirm that a methodology is defined and implemented to identify attack patterns and undesirable behavior across systems in a timely manner, and includes the following:
• Alerts are responded to per documented response procedures Identify the incident response procedures document(s) examined to verify that:
• On-call personnel receive timely alerts
• On-call personnel receive timely alerts
• Alerts are responded to per documented response procedures <Report Findings Here> Identify the personnel interviewed who confirm …
• Response to alerts in accordance with documented response procedures Identify the policies and procedures document(s) examined to verify that a methodology is defined and implemented to identify attack patterns and undesirable behavior across systems in a timely manner, and includes the following:
• Issuance of timely alerts to responsible personnel
• Issuance of timely alerts to responsible personnel
• Response to alerts in accordance with documented response procedures <Report Findings Here> Identify the personnel interviewed who confirm that a methodology is defined and implemented to identify attack patterns and undesirable behavior across systems in a timely manner, and includes the following:
• Alerts are responded to per documented response procedures Identify the incident response procedures document(s) examined to verify that:
• On-call personnel receive timely alerts
• On-call personnel receive timely alerts
• Alerts are responded to per documented response procedures <Report Findings Here> Identify the personnel interviewed who confirm …
Modified
p. 23 → 39
<Enter Response Here> A3.5.1.b Examine incident response procedures and interview responsible personnel to verify that:
Modified
p. 23 → 39
• On-call personnel receive timely alerts
• On-call personnel receive prompt alerts.