Document Comparison
PCI-DSS-v3_2_1-ROC-Reporting-Template.pdf
→
PCI-DSS-v3-2-1-ROC-Reporting-Template-r2.pdf
97% similar
191 → 190
Pages
65735 → 65337
Words
48
Content Changes
From Revision History
- September 2022 PCI DSS v3.2.1 Revision 2 Updates to reflect the inclusion of UnionPay as a Participating Payment Brand.
- September 2022 © 2022 PCI Security Standards Council, LLC. All Rights Reserved. Page iii
Content Changes
48 content changes. 46 administrative changes (dates, page numbers) hidden.
Added
p. 2
This document is intended for use with PCI DSS v 3.2.1 r1.
Added
p. 58
• Database contents Identify the sample of system components selected for 3.2.1-3.2.3.
• If applicable, any other output observed to be generated <Report Findings Here> 3.2.2 Do not store the card verification code or value (three-digit or four-digit number printed on the front or back of a payment card) used to verify card-not-present transactions after authorization. ☐ ☐ ☐ ☐ 3.2.2 For a sample of system components, examine data sources, including but not limited to the following, and verify that the three-digit or four-digit card verification For each data source type below from the sample of system of components at 3.2.1, summarize the specific examples of each data source type observed to verify that the three-digit or four-digit card verification code or value printed on the front of the card or the signature panel (CAV2, CVC2, CVN2, CVV2, and CID data) is not stored after authorization. If that type of data …
• If applicable, any other output observed to be generated <Report Findings Here> 3.2.2 Do not store the card verification code or value (three-digit or four-digit number printed on the front or back of a payment card) used to verify card-not-present transactions after authorization. ☐ ☐ ☐ ☐ 3.2.2 For a sample of system components, examine data sources, including but not limited to the following, and verify that the three-digit or four-digit card verification For each data source type below from the sample of system of components at 3.2.1, summarize the specific examples of each data source type observed to verify that the three-digit or four-digit card verification code or value printed on the front of the card or the signature panel (CAV2, CVC2, CVN2, CVV2, and CID data) is not stored after authorization. If that type of data …
Modified
p. 1
PCI DSS v3.2.1 Template for Report on Compliance Revision 1.0
PCI DSS v3.2.1 Template for Report on Compliance Revision 2
Modified
p. 10
“Assessor verified this is the responsibility of Service Provider X, as verified through review of x/y contract (document). Assessor reviewed the AOC for Service Provider X, dated MM/DD/YYYY, and confirmed the service provider was found to be PCI DSS compliant against PCI DSS v3.2 (or PCI DSS v3.2.1) for all applicable requirements, and that it covers the scope of the services used by the assessed entity.” That response could vary, but what’s important is that it is noted as “in …
“Assessor verified this is the responsibility of Service Provider X, as verified through review of x/y contract (document). Assessor reviewed the AOC for Service Provider X, dated MM/DD/YYYY, and confirmed the service provider was found to be PCI DSS compliant against PCI DSS v3.2.1 for all applicable requirements, and that it covers the scope of the services used by the assessed entity.” That response could vary, but what’s important is that it is noted as “in place” and that there …
Modified
p. 19
- Describe how it was verified that the identified security controls are in place Note
• the response must go beyond listing the activities that the assessor performed and must provide specific details of what the assessor observed to get the level of assurance that the identified security controls are in place.
• the response must go beyond listing the activities that the assessor performed and must provide specific details of what the assessor observed to get the level of assurance that the identified security controls are in place.
- Describe how it was verified that the identified security controls are in Note
• the response must go beyond listing the activities that the assessor performed and must provide specific details of what the assessor observed to get the level of assurance that the identified security controls are in place.
• the response must go beyond listing the activities that the assessor performed and must provide specific details of what the assessor observed to get the level of assurance that the identified security controls are in place.
Modified
p. 35
Identify the firewall configuration standards document examined to verify requirements for a firewall:
Identify the firewall configuration standards document examined to verify requirements for a firewall: • At each Internet connection.
Modified
p. 53
<Report Findings Here> Identify the responsible personnel interviewed who confirm that the above documented security policies and operational procedures for managing vendor defaults and other security parameters are:
<Report Findings Here> Identify the responsible personnel interviewed who confirm that the above documented security policies and operational procedures for managing vendor defaults and other security parameters are: • In use
Modified
p. 57 → 56
<Report Findings Here> 3.1.c For a sample of system components that store cardholder data:
Modified
p. 57
PCI DSS Requirements and Testing Procedures Reporting Instruction Reporting Details: Assessor’s Response Summary of Assessment Findings (check one) In Place w/ CCW N/A Not Tested Identify the interviewed personnel who confirm there is a documented business justification for the storage of sensitive authentication data.
Removed
p. 58
• Incoming transaction data Identify the sample of system components selected for 3.2.1-3.2.3.
Modified
p. 58 → 57
<Report Findings Here> 3.2.c For all other entities, if sensitive authentication data is received, review policies and procedures, and examine system configurations to verify the data is not retained after authorization.
Modified
p. 58
PCI DSS Requirements and Testing Procedures Reporting Instruction Reporting Details: Assessor’s Response Summary of Assessment Findings (check one) In Place w/ CCW N/A Not Tested 3.2.1 Do not store the full contents of any track (from the magnetic stripe located on the back of a card, equivalent data contained on a chip, or elsewhere) after authorization. This data is alternatively called full track, track, track 1, track 2, and magnetic-stripe data. Note: In the normal course of business, the following …
Removed
p. 59
PCI DSS Requirements and Testing Procedures Reporting Instruction Reporting Details: Assessor’s Response Summary of Assessment Findings (check one) In Place w/ CCW N/A Not Tested Place
• All logs (for example, transaction, history, debugging, error)
• If applicable, any other output observed to be generated <Report Findings Here> 3.2.2 Do not store the card verification code or value (three-digit or four-digit number printed on the front or back of a payment card) used to verify card-not-present transactions after authorization. ☐ ☐ ☐ ☐ 3.2.2 For a sample of system components, examine data sources, including but not limited to the following, and verify that the three-digit or four-digit card verification code or value printed on the front of the card or the signature panel (CVV2, CVC2, CID, CAV2 data) is not stored after authorization:
• Database contents For each data source type below from the sample of system of components at 3.2.1, summarize the …
• All logs (for example, transaction, history, debugging, error)
• If applicable, any other output observed to be generated <Report Findings Here> 3.2.2 Do not store the card verification code or value (three-digit or four-digit number printed on the front or back of a payment card) used to verify card-not-present transactions after authorization. ☐ ☐ ☐ ☐ 3.2.2 For a sample of system components, examine data sources, including but not limited to the following, and verify that the three-digit or four-digit card verification code or value printed on the front of the card or the signature panel (CVV2, CVC2, CID, CAV2 data) is not stored after authorization:
• Database contents For each data source type below from the sample of system of components at 3.2.1, summarize the …
Modified
p. 59
• If applicable, any other output observed to be generated <Report Findings Here>
• Database contents <Report Findings Here>
Modified
p. 60 → 59
• If applicable, any other output observed to be generated <Report Findings Here> 3.2.3 Do not store the personal identification number (PIN) or the encrypted PIN block after authorization. ☐ ☐ ☐ ☐ 3.2.3 For a sample of system components, examine data sources, including but not limited to the following and verify that PINs and encrypted PIN blocks are not stored after authorization:
Modified
p. 70 → 69
• The retirement or replacement of keys when the integrity of the key has been weakened.
• The replacement of known or suspected compromised keys.• Any keys retained after retiring or replacing are not used for encryption operations.
• The replacement of known or suspected compromised keys.
• The retirement or replacement of keys when the integrity of the key has been weakened.
• The replacement of known or suspected compromised keys.
• The replacement of known or suspected compromised keys.
Modified
p. 80 → 79
<Report Findings Here> Identify the responsible personnel interviewed who confirm that the above documented security policies and operational procedures for protecting systems against malware are:
<Report Findings Here> Identify the responsible personnel interviewed who confirm that the above documented security policies and operational procedures for protecting systems against malware are: • In use
Modified
p. 81 → 80
Identify the documented policies and procedures examined to confirm that processes are defined:
Identify the documented policies and procedures examined to confirm that processes are defined: • To identify new security vulnerabilities.
Modified
p. 84 → 83
• Code changes are reviewed by individuals other than the originating code author, and by individuals who are knowledgeable in code review techniques and secure coding practices.
• Code reviews ensure code is developed according to secure coding guidelines (see PCI DSS Requirement 6.5).• Appropriate corrections are implemented prior to release.
• Code reviews ensure code is developed according to secure coding guidelines (see PCI DSS Requirement 6.5).
• Code changes are reviewed by individuals other than the originating code author, and by individuals who are knowledgeable in code review techniques and secure coding practices.
• Code reviews ensure code is developed according to secure coding guidelines (see PCI DSS Requirement 6.5).
• Code reviews ensure code is developed according to secure coding guidelines (see PCI DSS Requirement 6.5).
Modified
p. 88 → 87
• Functionality testing to verify that the change does not adversely impact the security of the system.
• Back-out procedures.
• Functionality testing to verify that the change does not adversely impact the security of the system.
• Back-out procedures.
• Back-out procedures.
Modified
p. 88 → 87
Identify the documented change-control procedures examined to verify procedures are defined for:
Identify the documented change-control procedures examined to verify procedures are defined for: • Documentation of impact.
Modified
p. 94 → 93
• Not exposing internal object references to users. • User interfaces that do not permit access to unauthorized functions.
• Not exposing internal object references to users.
Modified
p. 96 → 95
PCI DSS Requirements and Testing Procedures Reporting Instruction Reporting Details: Assessor’s Response Summary of Assessment Findings (check one) In Place w/ CCW N/A Not Tested Place assessment tools or methods•as follows: - At least annually. - After any changes. - By an organization that specializes in application security. - That, at a minimum, all vulnerabilities in Requirement 6.5 are included in the assessment. - That all vulnerabilities are corrected. - That the application is re-evaluated after the corrections.
PCI DSS Requirements and Testing Procedures Reporting Instruction Reporting Details: Assessor’s Response Summary of Assessment Findings (check one) In Place w/ CCW N/A Not Tested Place assessment tools or methods•as follows: - At least annually.
Modified
p. 96 → 95
• Examine the system configuration settings and interview responsible personnel to verify that an automated technical solution that detects and prevents web-based attacks (for example, a web-application firewall) is in place as follows: - Is situated in front of public-facing web applications to detect and prevent web- based attacks.
• Examine the system configuration settings and interview responsible personnel to verify that an automated technical solution that detects and prevents web-based attacks (for example, a web-application firewall) is in place as follows:
Modified
p. 97 → 96
Identify the responsible personnel interviewed who confirm that public-facing web applications are reviewed, as follows:
Identify the responsible personnel interviewed who confirm that public-facing web applications are reviewed, as follows: • At least annually.
Modified
p. 98 → 97
<Report Findings Here> Identify the responsible personnel interviewed who confirm that the above documented security policies and operational procedures for developing and maintaining secure systems and applications are:
<Report Findings Here> Identify the responsible personnel interviewed who confirm that the above documented security policies and operational procedures for developing and maintaining secure systems and applications are: • In use
Modified
p. 100 → 99
<Report Findings Here> Identify the responsible management personnel interviewed to confirm that privileges assigned are:
<Report Findings Here> Identify the responsible management personnel interviewed to confirm that privileges assigned are: • Necessary for that individual’s job function.
Modified
p. 103 → 102
• Manage IDs used by vendors to access, support, or maintain system components via remote access as follows: - Enabled only during the time period needed and disabled when not in use.
• Manage IDs used by vendors to access, support, or maintain system components via remote access as follows:
Modified
p. 109 → 108
• Require a minimum length of at least seven characters. • Contain both numeric and alphabetic characters.
• Require a minimum length of at least seven characters.
Modified
p. 117 → 116
<Report Findings Here> Identify the responsible personnel interviewed who confirm that the above documented security policies and operational procedures for identification and authentication are:
<Report Findings Here> Identify the responsible personnel interviewed who confirm that the above documented security policies and operational procedures for identification and authentication are: • In use
Modified
p. 123 → 122
Provide the name of the assessor who attests that the visitor log contains:
Provide the name of the assessor who attests that the visitor log contains: • The visitor’s name,
Modified
p. 127 → 126
Identify the documented policies and procedures examined to verify they include:
Identify the documented policies and procedures examined to verify they include: • Maintaining a list of devices.
Modified
p. 128 → 127
Identify the documented procedures examined to verify that processes are defined to include the following:
Identify the documented procedures examined to verify that processes are defined to include the following: • Procedures for inspecting devices.
Modified
p. 128 → 127
• All devices are periodically inspected for evidence of tampering and substitution.
• All devices are periodically inspected for evidence of tampering and substitution.
Modified
p. 135 → 134
• Only the designated central time server(s) receive time signals from external sources, and time signals from external sources are based on International Atomic Time or UTC. • Where there is more than one designated time server, the time servers peer with one another to keep accurate time.
• Systems receive time information only from designated central time server(s).
• Systems receive time information only from designated central time server(s).
• Only the designated central time server(s) receive time signals from external sources, and time signals from external sources are based on International Atomic Time or UTC.
Modified
p. 137 → 136
• Current audit trail files are promptly backed up to a centralized log server or media that is difficult to alter, including: - That current audit trail files are promptly backed up to the centralized log server or media - The frequency that audit trail files are backed up - That the centralized log server or media is difficult to alter
• Current audit trail files are promptly backed up to a centralized log server or media that is difficult to alter, including: - That current audit trail files are promptly backed up to the centralized log server or media - The frequency that audit trail files are backed
Modified
p. 140 → 139
• Logs of all servers and system components that perform security functions (for example, firewalls, intrusion-detection systems/intrusion- prevention systems (IDS/IPS), authentication servers, e-commerce redirection servers, etc.) Identify the responsible personnel interviewed who confirm that the following are reviewed at least daily:
• Logs of all servers and system components that perform security functions (for example, firewalls, intrusion-detection systems/intrusion- prevention systems (IDS/IPS), authentication servers, e-commerce redirection servers, etc.) Identify the responsible personnel interviewed who confirm that the following are reviewed at least daily: • All security events
Modified
p. 147 → 146
If ‘yes,’ Identify/describe the output from recent wireless scans examined to verify that:
If ‘yes,’ Identify/describe the output from recent wireless scans examined to verify that: • Authorized wireless access points are identified.
Modified
p. 153 → 152
PCI DSS Requirements and Testing Procedures Reporting Instruction Reporting Details: Assessor’s Response Summary of Assessment Findings (check one) In Place w/ Not Tested Place Identify the responsible personnel interviewed who confirm the penetration•testing methodology implemented includes at least the following:
PCI DSS Requirements and Testing Procedures Reporting Instruction Reporting Details: Assessor’s Response Summary of Assessment Findings (check one) In Place w/ Not Tested Identify the responsible personnel interviewed who confirm the penetration•testing methodology implemented includes at least the following:
Modified
p. 156 → 155
• The penetration testing covers all segmentation controls/methods in use.
• The penetration testing verifies that segmentation controls/methods are operational and effective, and isolate all out-of-scope systems from systems in the CDE.
• The penetration testing covers all segmentation controls/methods in use.
• The penetration testing verifies that segmentation controls/methods are operational and effective, and isolate all out-of-scope systems from systems in the CDE.
• The penetration testing verifies that segmentation controls/methods are operational and effective, and isolate all out-of-scope systems from systems in the CDE.
Modified
p. 164 → 163
<Report Findings Here> 12.3.3 A list of all such devices and personnel with access. ☐ ☐ ☐ ☐ ☐ 12.3.3 Verify that the usage policies define:
<Report Findings Here> 12.3.3 A list of all such devices and personnel with access. ☐ ☐ ☐ ☐ ☐ 12.3.3 Verify that the usage policies define: • A list of all critical devices, and
Modified
p. 164 → 163
Provide the name of the assessor who attests that the usage policies were verified to define:
Provide the name of the assessor who attests that the usage policies were verified to define: • A list of all critical devices, and
Modified
p. 164 → 163
Provide the name of the assessor who attests that the usage policies were verified to define a method to accurately and readily determine:
Provide the name of the assessor who attests that the usage policies were verified to define a method to accurately and readily determine: • Owner
Modified
p. 169 → 168
• Personnel attend security awareness training: - Upon hire, and - At least annually
• Personnel attend security awareness training: - Upon hire, and
Modified
p. 173 → 172
• Designate specific personnel to be available on a 24/7 basis to respond to alerts: - 24/7 incident monitoring - 24/7 incident response
• Designate specific personnel to be available on a 24/7 basis to respond to alerts:
Modified
p. 174 → 173
• Business recovery and continuity procedures
• Business recovery and continuity procedures • Data back-up processes
Modified
p. 176 → 175
PCI DSS Requirements and Testing Procedures Reporting Instruction Reporting Details: Assessor’s Response Summary of Assessment Findings (check one) In Place w/ Not Tested Describe how it was observed that designated personnel are available for 24/7 incident response and monitoring coverage for:
PCI DSS Requirements and Testing Procedures Reporting Instruction Reporting Details: Assessor’s Response Summary of Assessment Findings (check one) In Place w/ Not Tested Describe how it was observed that designated personnel are available for 24/7 incident response and monitoring coverage for: • Any evidence of unauthorized activity.
Modified
p. 177 → 176
Identify the documented policy reviewed to verify that processes are defined to modify and evolve the incident response plan:
Identify the documented policy reviewed to verify that processes are defined to modify and evolve the incident response plan: • According to lessons learned.