Document Comparison
PCI-DSS-v4-0-DESV-S-ROC-Template.pdf
→
PCI-DSS-v4-0-DESV-S-ROC-Template-r1.pdf
98% similar
39 → 39
Pages
8559 → 8530
Words
19
Content Changes
From Revision History
- June 2015 For use with PCI DSS v3.1 Revision 1.0
- December 2022 For use with PCI DSS v4.0 Revision 1
- December 2022 © 2006 - 2022 PCI Security Standards Council, LLC. All Rights Reserved. Page 2
- December 2022 © 2006 - 2022 PCI Security Standards Council, LLC. All Rights Reserved. Page 3
- December 2022 © 2006 - 2022 PCI Security Standards Council, LLC. All Rights Reserved. Page 4
- December 2022 © 2006 - 2022 PCI Security Standards Council, LLC. All Rights Reserved. Page 5
- December 2022 © 2006 - 2022 PCI Security Standards Council, LLC. All Rights Reserved. Page 6
Content Changes
19 content changes. 29 administrative changes (dates, page numbers) hidden.
Modified
p. 4
Select If Below Method Was In Place In Place with Remediation Not Applicable Not in Place Compensating Control Requirement A3.1: ☐ ☐ ☐ ☐ ☐ Requirement A3.2: ☐ ☐ ☐ ☐ ☐ Requirement A3.3: ☐ ☐ ☐ ☐ ☐ Requirement A3.4: ☐ ☐ ☐ ☐ ☐ Requirement A3.5: ☐ ☐ ☐ ☐ ☐ In the sections below, identify the DESV requirements with the following results and assessment method. If there are none, enter “Not Applicable.” Note: Natural grouping of requirements …
Select If Below Method Was In Place Not Applicable Not in Place Compensating Control Requirement A3.1: ☐ ☐ ☐ ☐ Requirement A3.2: ☐ ☐ ☐ ☐ Requirement A3.3: ☐ ☐ ☐ ☐ Requirement A3.4: ☐ ☐ ☐ ☐ Requirement A3.5: ☐ ☐ ☐ ☐ In the sections below, identify the DESV requirements with the following results and assessment method. If there are none, enter “Not Applicable.” Note: Natural grouping of requirements is allowed (for example, Req. A3.1.1, A3.1.2, A3.1.3, or …
Modified
p. 4
Not Applicable Not in Place Due to a Legal Restriction Not in Place Not Due to a Legal Restriction Compensating Control <Enter Response Here> <Enter Response Here> <Enter Response Here> <Enter Response Here>
Modified
p. 5
• Providing updates to executive management and board of directors on PCI DSS compliance initiatives and issues, including remediation activities, at least once every 12 months. PCI DSS Reference: Requirement 12 Assessment Findings (select one) In Place In Place with Remediation Not Applicable Not in Place Describe why the assessment finding was selected. Note: Include all details as noted in the “Required Reporting” column of the table in Assessment Findings in the ROC Template Instructions.
• Providing updates to executive management and board of directors on PCI DSS compliance initiatives and issues, including remediation activities, at least once every 12 months. PCI DSS Reference: Requirement 12 Assessment Findings (select one) In Place Not Applicable Not in Place Describe why the assessment finding was selected. Note: Include all details as noted in the “Required Reporting” column of the table in Assessment Findings in the ROC Template Instructions.
Modified
p. 7
• A process for performing business-impact analysis to determine potential PCI DSS impacts for strategic business decisions. PCI DSS Reference: Requirements 1-12 Assessment Findings (select one) In Place In Place with Remediation Not Applicable Not in Place Describe why the assessment finding was selected. Note: Include all details as noted in the “Required Reporting” column of the table in Assessment Findings in the ROC Template Instructions.
• A process for performing business-impact analysis to determine potential PCI DSS impacts for strategic business decisions. PCI DSS Reference: Requirements 1-12 Assessment Findings (select one) In Place Not Applicable Not in Place Describe why the assessment finding was selected. Note: Include all details as noted in the “Required Reporting” column of the table in Assessment Findings in the ROC Template Instructions.
Modified
p. 9
• Managing business-impact analysis to determine potential PCI DSS impacts for strategic business decisions. PCI DSS Reference: Requirement 12 Assessment Findings (select one) In Place In Place with Remediation Not Applicable Not in Place Describe why the assessment finding was selected. Note: Include all details as noted in the “Required Reporting” column of the table in Assessment Findings in the ROC Template Instructions.
• Managing business-impact analysis to determine potential PCI DSS impacts for strategic business decisions. PCI DSS Reference: Requirement 12 Assessment Findings (select one) In Place Not Applicable Not in Place Describe why the assessment finding was selected. Note: Include all details as noted in the “Required Reporting” column of the table in Assessment Findings in the ROC Template Instructions.
Modified
p. 10
PCI DSS Requirement A3.1.4 Up-to-date PCI DSS and/or information security training is provided at least once every 12 months to personnel with PCI DSS compliance responsibilities (as identified in A3.1.3). PCI DSS Reference: Requirement 12 Assessment Findings (select one) In Place In Place with Remediation Not Applicable Not in Place Describe why the assessment finding was selected. Note: Include all details as noted in the “Required Reporting” column of the table in Assessment Findings in the ROC Template Instructions.
PCI DSS Requirement A3.1.4 Up-to-date PCI DSS and/or information security training is provided at least once every 12 months to personnel with PCI DSS compliance responsibilities (as identified in A3.1.3). PCI DSS Reference: Requirement 12 Assessment Findings (select one) In Place Not Applicable Not in Place Describe why the assessment finding was selected. Note: Include all details as noted in the “Required Reporting” column of the table in Assessment Findings in the ROC Template Instructions.
Modified
p. 14
• Documented sign-off of the results of the impact assessment by responsible personnel (as defined in A3.1.3). PCI DSS Reference: Scope of PCI DSS Requirements; Requirements 1-12 Assessment Findings (select one) In Place In Place with Remediation Not Applicable Not in Place Describe why the assessment finding was selected. Note: Include all details as noted in the “Required Reporting” column of the table in Assessment Findings in the ROC Template Instructions.
• Documented sign-off of the results of the impact assessment by responsible personnel (as defined in A3.1.3). PCI DSS Reference: Scope of PCI DSS Requirements; Requirements 1-12 Assessment Findings (select one) In Place Not Applicable Not in Place Describe why the assessment finding was selected. Note: Include all details as noted in the “Required Reporting” column of the table in Assessment Findings in the ROC Template Instructions.
Modified
p. 15
PCI DSS Requirement A3.2.2.1 Upon completion of a change, all relevant PCI DSS requirements are confirmed to be implemented on all new or changed systems and networks, and documentation is updated as applicable. PCI DSS Reference: Scope of PCI DSS Requirements; Requirement 1-12 Assessment Findings (select one) In Place In Place with Remediation Not Applicable Not in Place Describe why the assessment finding was selected. Note: Include all details as noted in the “Required Reporting” column of the table in …
PCI DSS Requirement A3.2.2.1 Upon completion of a change, all relevant PCI DSS requirements are confirmed to be implemented on all new or changed systems and networks, and documentation is updated as applicable. PCI DSS Reference: Scope of PCI DSS Requirements; Requirement 1-12 Assessment Findings (select one) In Place Not Applicable Not in Place Describe why the assessment finding was selected. Note: Include all details as noted in the “Required Reporting” column of the table in Assessment Findings in the …
Modified
p. 17
PCI DSS Requirement A3.2.3 Changes to organizational structure result in a formal (internal) review of the impact to PCI DSS scope and applicability of controls. PCI DSS Reference: Requirement 12 Assessment Findings (select one) In Place In Place with Remediation Not Applicable Not in Place Describe why the assessment finding was selected. Note: Include all details as noted in the “Required Reporting” column of the table in Assessment Findings in the ROC Template Instructions.
PCI DSS Requirement A3.2.3 Changes to organizational structure result in a formal (internal) review of the impact to PCI DSS scope and applicability of controls. PCI DSS Reference: Requirement 12 Assessment Findings (select one) In Place Not Applicable Not in Place Describe why the assessment finding was selected. Note: Include all details as noted in the “Required Reporting” column of the table in Assessment Findings in the ROC Template Instructions.
Modified
p. 18
• The penetration testing verifies that segmentation controls/methods are operational and effective, and isolate the CDE from all out-of-scope systems. PCI DSS Reference: Requirement 11 Assessment Findings (select one) In Place In Place with Remediation Not Applicable Not in Place Describe why the assessment finding was selected. Note: Include all details as noted in the “Required Reporting” column of the table in Assessment Findings in the ROC Template Instructions.
• The penetration testing verifies that segmentation controls/methods are operational and effective, and isolate the CDE from all out-of-scope systems. PCI DSS Reference: Requirement 11 Assessment Findings (select one) In Place Not Applicable Not in Place Describe why the assessment finding was selected. Note: Include all details as noted in the “Required Reporting” column of the table in Assessment Findings in the ROC Template Instructions.
Modified
p. 19
• Addresses the potential for cleartext PAN to reside on systems and networks outside the currently defined CDE. PCI DSS Reference: Scope of PCI DSS Requirements Assessment Findings (select one) In Place In Place with Remediation Not Applicable Not in Place Describe why the assessment finding was selected. Note: Include all details as noted in the “Required Reporting” column of the table in Assessment Findings in the ROC Template Instructions.
• Addresses the potential for cleartext PAN to reside on systems and networks outside the currently defined CDE. PCI DSS Reference: Scope of PCI DSS Requirements Assessment Findings (select one) In Place Not Applicable Not in Place Describe why the assessment finding was selected. Note: Include all details as noted in the “Required Reporting” column of the table in Assessment Findings in the ROC Template Instructions.
Modified
p. 21
• The effectiveness of data-discovery methods is confirmed at least once every 12 months. PCI DSS Reference: Scope of PCI DSS Requirements Assessment Findings (select one) In Place In Place with Remediation Not Applicable Not in Place Describe why the assessment finding was selected. Note: Include all details as noted in the “Required Reporting” column of the table in Assessment Findings in the ROC Template Instructions.
• The effectiveness of data-discovery methods is confirmed at least once every 12 months. PCI DSS Reference: Scope of PCI DSS Requirements Assessment Findings (select one) In Place Not Applicable Not in Place Describe why the assessment finding was selected. Note: Include all details as noted in the “Required Reporting” column of the table in Assessment Findings in the ROC Template Instructions.
Modified
p. 24
• Generating audit logs and alerts upon detection of cleartext PAN leaving the CDE via an unauthorized channel, method, or process. PCI DSS Reference: Scope of PCI DSS Requirements, Requirement 12 Assessment Findings (select one) In Place In Place with Remediation Not Applicable Not in Place Describe why the assessment finding was selected. Note: Include all details as noted in the “Required Reporting” column of the table in Assessment Findings in the ROC Template Instructions.
• Generating audit logs and alerts upon detection of cleartext PAN leaving the CDE via an unauthorized channel, method, or process. PCI DSS Reference: Scope of PCI DSS Requirements, Requirement 12 Assessment Findings (select one) In Place Not Applicable Not in Place Describe why the assessment finding was selected. Note: Include all details as noted in the “Required Reporting” column of the table in Assessment Findings in the ROC Template Instructions.
Modified
p. 26
• Procedures for remediating data leaks or process gaps, as necessary, to prevent any data loss. PCI DSS Reference: Requirement 12 Assessment Findings (select one) In Place In Place with Remediation Not Applicable Not in Place Describe why the assessment finding was selected. Note: Include all details as noted in the “Required Reporting” column of the table in Assessment Findings in the ROC Template Instructions.
• Procedures for remediating data leaks or process gaps, as necessary, to prevent any data loss. PCI DSS Reference: Requirement 12 Assessment Findings (select one) In Place Not Applicable Not in Place Describe why the assessment finding was selected. Note: Include all details as noted in the “Required Reporting” column of the table in Assessment Findings in the ROC Template Instructions.
Modified
p. 28
• Automated code review tools (if used). This bullet is a best practice until 31 March 2025, after which they will be required as part of Requirement A3.3.1 and must be fully considered during a PCI DSS assessment. PCI DSS Reference: Requirements 1-12 Assessment Findings (select one) In Place In Place with Remediation Not Applicable Not in Place Describe why the assessment finding was selected. Note: Include all details as noted in the “Required Reporting” column of the table in …
• Automated code review tools (if used). This bullet is a best practice until 31 March 2025, after which they will be required as part of Requirement A3.3.1 and must be fully considered during a PCI DSS assessment. PCI DSS Reference: Requirements 1-12 Assessment Findings (select one) In Place Not Applicable Not in Place Describe why the assessment finding was selected. Note: Include all details as noted in the “Required Reporting” column of the table in Assessment Findings in the …
Modified
p. 30
• Resuming monitoring of security controls. PCI DSS Reference: Requirements 1-12 Assessment Findings (select one) In Place In Place with Remediation Not Applicable Not in Place Describe why the assessment finding was selected. Note: Include all details as noted in the “Required Reporting” column of the table in Assessment Findings in the ROC Template Instructions.
• Resuming monitoring of security controls. PCI DSS Reference: Requirements 1-12 Assessment Findings (select one) In Place Not Applicable Not in Place Describe why the assessment finding was selected. Note: Include all details as noted in the “Required Reporting” column of the table in Assessment Findings in the ROC Template Instructions.
Modified
p. 34
• Retention of records and documentation for at least 12 months, covering all BAU activities. PCI DSS Reference: Requirements 1-12 Assessment Findings (select one) In Place In Place with Remediation Not Applicable Not in Place Describe why the assessment finding was selected. Note: Include all details as noted in the “Required Reporting” column of the table in Assessment Findings in the ROC Template Instructions.
• Retention of records and documentation for at least 12 months, covering all BAU activities. PCI DSS Reference: Requirements 1-12 Assessment Findings (select one) In Place Not Applicable Not in Place Describe why the assessment finding was selected. Note: Include all details as noted in the “Required Reporting” column of the table in Assessment Findings in the ROC Template Instructions.
Modified
p. 36
PCI DSS Requirement A3.4.1 User accounts and access privileges to in-scope system components are reviewed at least once every six months to ensure user accounts and access privileges remain appropriate based on job function, and that all access is authorized. PCI DSS Reference: Requirement 7 Assessment Findings (select one) In Place In Place with Remediation Not Applicable Not in Place Describe why the assessment finding was selected. Note: Include all details as noted in the “Required Reporting” column of the …
PCI DSS Requirement A3.4.1 User accounts and access privileges to in-scope system components are reviewed at least once every six months to ensure user accounts and access privileges remain appropriate based on job function, and that all access is authorized. PCI DSS Reference: Requirement 7 Assessment Findings (select one) In Place Not Applicable Not in Place Describe why the assessment finding was selected. Note: Include all details as noted in the “Required Reporting” column of the table in Assessment Findings …
Modified
p. 38
• Response to alerts in accordance with documented response procedures. PCI DSS Reference: Requirements 10, 12 Assessment Findings (select one) In Place In Place with Remediation Not Applicable Not in Place Describe why the assessment finding was selected. Note: Include all details as noted in the “Required Reporting” column of the table in Assessment Findings in the ROC Template Instructions.
• Response to alerts in accordance with documented response procedures. PCI DSS Reference: Requirements 10, 12 Assessment Findings (select one) In Place Not Applicable Not in Place Describe why the assessment finding was selected. Note: Include all details as noted in the “Required Reporting” column of the table in Assessment Findings in the ROC Template Instructions.