PCI Watch

Tracking changes across the Payment Card Industry

Document Comparison

PCI-DSS-3x-ROC-RTs-FAQs.pdf PCI_DSS_3%20x_ROC_RTs_FAQs_r1.pdf
95% similar
10 → 11 Pages
5054 → 5186 Words
8 Content Changes

From Revision History

  • June 2023 Revision 1 Added Q23 to clarify the use of the “not tested” reporting response for
  • June 2023 © 2006-2023 PCI Security Standards Council, LLC. All Rights Reserved. Page 3 ROC Reporting Template for PCI DSS v3.x:
  • June 2023 © 2006-2023 PCI Security Standards Council, LLC. All Rights Reserved. Page 4 includes reordering of sections, which is NOT allowed. Generally, changes to the format should

Content Changes

8 content changes. 13 administrative changes (dates, page numbers) hidden.

Added p. 9
Q 23 Can an AOC be marked “Compliant” if the assessment includes a “Not Tested” response? No. “Not Tested” indicates that the assessment was only partially completed. At no point should the AOC for completion of a partial assessment indicate an organization’s full compliance with PCI DSS. Therefore, any assessment that includes a “Not Tested” response must be marked as non-compliant in the related AOC.
Modified p. 7 → 8
An organization may be asked by their acquirer to validate a subset of requirements•for example: using the prioritized approach to validate certain milestones.
An organization may be asked by their acquirer to validate a subset of requirements example: using the prioritized approach to validate certain milestones.
Modified p. 7 → 8
An organization may wish to validate a new security control that impacts only a subset of requirements•for example, implementation of a new encryption methodology that requires assessment of PCI DSS Requirements 2, 3, and 4.
An organization may wish to validate a new security control that impacts only a subset of requirements•for example, implementation of a new encryption methodology that requires assessment of PCI DSS Requirements 2, 3, and 4.
Modified p. 7 → 8
A service provider organization might offer a service that covers only a limited number of
A service provider organization might offer a service that covers only a limited number of
Modified p. 8 → 9
Q 23 Can you clarify the difference in “Not Applicable” versus “Not Tested” for a scenario such as a cloud services (Infrastructure as a Service) provider? In that case, the service provider would not be responsible for applications or other aspects that the customer is responsible for. Are those N/A or not tested? A First, consider the guidance that if a requirement was considered and tested to confirm it is not applicable, it is “not applicable.” If the requirement is …
Q 24 Can you clarify the difference in “Not Applicable” versus “Not Tested” for a scenario such as a cloud services (Infrastructure as a Service) provider? In that case, the service provider would not be responsible for applications or other aspects that the customer is responsible for. Are those N/A or not tested? A First, consider the guidance that if a requirement was considered and tested to confirm it is not applicable, it is “not applicable.” If the requirement is …
Modified p. 9 → 10
Q 24 Are future-dated requirements considered “Not Applicable” or “Not Tested”? A While it is true that the requirement is likely not tested (hence the original instructions), it is not required to be tested until the future date has passed, and the requirement is therefore not applicable until that date. As such, a “Not Applicable” response to future-dated requirements is accurate, whereas a “Not Tested” response would imply there was not any consideration as to whether it could apply (and …
Q 25 Are future-dated requirements considered “Not Applicable” or “Not Tested”? A While it is true that the requirement is likely not tested (hence the original instructions), it is not required to be tested until the future date has passed, and the requirement is therefore not applicable until that date. As such, a “Not Applicable” response to future-dated requirements is accurate, whereas a “Not Tested” response would imply there was not any consideration as to whether it could apply (and …
Modified p. 9 → 10
Q 25 I am curious why the “N/A” is grayed out for 3.2.1. I can see situations (physical security facility) that might look at this question as N/A since the client would be responsible for the application and database. A There is not a change in intent here. Some of the highlights follow:
Q 26 I am curious why the “N/A” is grayed out for 3.2.1. I can see situations (physical security facility) that might look at this question as N/A since the client would be responsible for the application and database. A There is not a change in intent here. Some of the highlights follow:
Modified p. 10 → 11
Q 27 Regarding the AOC for Service Providers, v3.x, are you planning to issue definitions for the services listed or similar guidance? A There are no plans at this time for formal definitions for these services by PCI SSC. As noted in Part 2 of the AOC for Service Providers, v3.x: “Note: These categories are provided for assistance only, and are not intended to limit or predetermine an entity’s service description. If you feel these categories don’t apply to your …
Q 28 Regarding the AOC for Service Providers, v3.x, are you planning to issue definitions for the services listed or similar guidance? A There are no plans at this time for formal definitions for these services by PCI SSC. As noted in Part 2 of the AOC for Service Providers, v3.x: “Note: These categories are provided for assistance only, and are not intended to limit or predetermine an entity’s service description. If you feel these categories don’t apply to your …