Document Comparison
PCI-DSS-v3-2-1-DESV-S-AOC-r2.pdf
→
PCI-DSS-v4-0-DESV-AOC-r1.pdf
53% similar
7 → 7
Pages
1503 → 1388
Words
27
Content Changes
Content Changes
27 content changes. 11 administrative changes (dates, page numbers) hidden.
Added
p. 1
Payment Card Industry Data Security Standard
Part 1. Contact Information Part 1a. Assessed Entity (ROC Section 1.1) Company name:
Company mailing address:
Company mailing address:
Company main website:
Company contact name:
Company contact title:
Contact phone number:
Contact e-mail address:
Part 1b. Assessor (ROC Section 1.1) Provide the following information for all assessors involved in the Assessment. If there was no assessor for a given assessor type, enter Not Applicable.
PCI SSC Internal Security Assessor(s) ISA name(s):
Assessor phone number:
Assessor e-mail address:
Assessor certificate number:
Part 1. Contact Information Part 1a. Assessed Entity (ROC Section 1.1) Company name:
Company mailing address:
Company mailing address:
Company main website:
Company contact name:
Company contact title:
Contact phone number:
Contact e-mail address:
Part 1b. Assessor (ROC Section 1.1) Provide the following information for all assessors involved in the Assessment. If there was no assessor for a given assessor type, enter Not Applicable.
PCI SSC Internal Security Assessor(s) ISA name(s):
Assessor phone number:
Assessor e-mail address:
Assessor certificate number:
Added
p. 3
DESV Requirement Requirement Finding More than one response may be selected for a given requirement.
Indicate all responses that apply.
Select If Below Method Was Used In Place Not Applicable Not In Place Compensating Requirement Requirement Requirement Requirement Requirement
Indicate all responses that apply.
Select If Below Method Was Used In Place Not Applicable Not In Place Compensating Requirement Requirement Requirement Requirement Requirement
Added
p. 4
YYYY-MM-DD Were any requirements in the S-ROC for Designated Entities unable to be met due to a legal constraint? Yes No Were any testing activities performed remotely? If yes, for each testing activity below, indicate whether remote assessment activities were performed:
• Examine documentation Yes No
• Interview personnel Yes No
• Examine/observe live data Yes No
• Observe process being performed Yes No
• Observe physical environment Yes No
• Interactive testing Yes No
• Examine documentation Yes No
• Interview personnel Yes No
• Examine/observe live data Yes No
• Observe process being performed Yes No
• Observe physical environment Yes No
• Interactive testing Yes No
Added
p. 5
This option requires additional review from the entity to which this S-AOC will be submitted. If selected, complete the following:
Added
p. 6
QSA performed testing procedures.
QSA provided other assistance. If selected, describe all role(s) performed:
Signature of Lead QSA Date: YYYY-MM-DD Lead QSA Name:
ISA(s) performed testing procedures.
ISA(s) provided other assistance.
If selected, describe all role(s) performed:
QSA provided other assistance. If selected, describe all role(s) performed:
Signature of Lead QSA Date: YYYY-MM-DD Lead QSA Name:
ISA(s) performed testing procedures.
ISA(s) provided other assistance.
If selected, describe all role(s) performed:
Added
p. 7
A3.2 PCI DSS scope is documented and validated.
A3.3 PCI DSS is incorporated into business-as-usual (BAU) activities.
Logical access to the cardholder data environment is controlled and managed.
A3.5 Suspicious events are identified and responded to.
A3.3 PCI DSS is incorporated into business-as-usual (BAU) activities.
Logical access to the cardholder data environment is controlled and managed.
A3.5 Suspicious events are identified and responded to.
Removed
p. 2
Part 1. Designated Entity and Qualified Security Assessor Information Part 1a. Designated Entity’s Organization Information Company Name: DBA (doing business as):
Business Address: City:
Business Address: City:
State/Province: Country: Zip:
State/Province: Country: Zip:
Lead QSA Contact Name: Title:
Business Address: City:
Business Address: City:
State/Province: Country: Zip:
State/Province: Country: Zip:
Lead QSA Contact Name: Title:
Modified
p. 2
Section 1: Assessment Information Instructions for Submission ** Complete this Attestation of Compliance only if required by a Payment Brand or Acquirer to complete the requirements specified in the PCI DSS Appendix A3: Designated Entities Supplemental Validation** This Supplemental Attestation of Compliance (S-AOC) must be completed as a declaration of the results of the Designated Entity’s assessment with PCI DSS Appendix A3: PCI DSS Designated Entities Supplemental Validation (DESV). The S-AOC is an addendum to the PCI DSS Attestation of …
Section 1 Assessment Information Instructions for Submission ** Complete this Attestation of Compliance only if required by a Payment Brand or Acquirer to complete the requirements specified in the PCI DSS v4.0 Appendix A3: Designated Entities Supplemental Validation** This Supplemental Attestation of Compliance (S-AOC) must be completed as a declaration of the results of the Designated Entity’s assessment with PCI DSS v4.0 Appendix A3: PCI DSS Designated Entities Supplemental Validation (DESV). The S-AOC is an addendum to the PCI DSS …
Modified
p. 2
Qualified Security Assessor Company name:
Removed
p. 3
• The requirement and all sub-requirements of that requirement were assessed, and no sub- requirements were marked as “Not Applicable” in the Supplemental Report on Compliance (S-ROC) for Designated Entities.
• One or more sub-requirements of that requirement were marked as “Not Applicable” in the S- ROC for Designated Entities.
• All sub-requirements of that requirement were marked as “Not Applicable” in the S-ROC for Designated Entities.
For all requirements identified as either “Partial” or “None,” provide details in the “Justification for Approach” column, including:
• Details of specific sub-requirements that were marked as “Not Applicable” in the S-ROC for Designated Entities
• Reason why sub-requirement(s) were not applicable
Note: One table to be completed for each service covered by this S-AOC. Additional copies of this section are available on the PCI SSC website.
Name of Service Assessed:
• One or more sub-requirements of that requirement were marked as “Not Applicable” in the S- ROC for Designated Entities.
• All sub-requirements of that requirement were marked as “Not Applicable” in the S-ROC for Designated Entities.
For all requirements identified as either “Partial” or “None,” provide details in the “Justification for Approach” column, including:
• Details of specific sub-requirements that were marked as “Not Applicable” in the S-ROC for Designated Entities
• Reason why sub-requirement(s) were not applicable
Note: One table to be completed for each service covered by this S-AOC. Additional copies of this section are available on the PCI SSC website.
Name of Service Assessed:
Modified
p. 4
Section 2: Supplemental Report on Compliance This Supplemental Attestation of Compliance reflects the results of an onsite assessment, which is documented in an accompanying Supplemental Report on Compliance S-ROC for Designated Entities.
Section 2 Supplemental Report on Compliance This Supplemental Attestation of Compliance reflects the results of an assessment that is documented in an accompanying Supplemental Report on Compliance S-ROC for Designated Entities.
Removed
p. 5
If checked, complete the following:
If my environment changes, I recognize I must reassess my environment and implement any additional DESV requirements that apply.
If my environment changes, I recognize I must reassess my environment and implement any additional DESV requirements that apply.
Modified
p. 5
Section 3: Validation and Attestation Details Part 3. PCI DSS Designated Entities Supplemental Validation This AOC is based on results noted in the S-ROC dated S-ROC completion date.
Section 3 Validation and Attestation Details Part 3. PCI DSS Designated Entities Supplemental Validation This S-AOC is based on results noted in the S-ROC dated (S-ROC completion date YYYY-MM-DD).
Modified
p. 5
Based on the results documented in the S-ROC for Designated Entities noted above, the signatories identified in Parts 3b-3d, as applicable, assert(s) the following compliance status for the entity identified in Part 2 of this document (check one):
Based on the results documented in the S-ROC for Designated Entities noted above, each signatory identified in any of Parts 3b-3d, as applicable, assert(s) the following compliance status for the entity identified in Part 2 of this document (select one):
Modified
p. 5
Compliant: All sections of the S-ROC for Designated Entities are complete, all questions answered affirmatively, resulting in an overall COMPLIANT rating; thereby (Designated Entity Company Name) has demonstrated full compliance with the PCI DSS Designated Entities Supplemental Validation.
Compliant: All sections of the S-ROC for Designated Entities are complete, and all requirements are marked as being either In Place or Not Applicable, resulting in an overall COMPLIANT rating; thereby (Designated Entity Company Name) has demonstrated compliance with all PCI DSS Designated Entities Supplemental Validation requirements.
Modified
p. 5
Non-Compliant: Not all sections of the S-ROC for Designated Entities are complete, or not all questions are answered affirmatively, resulting in an overall NON-COMPLIANT rating, thereby (Designated Entity Company Name) has not demonstrated full compliance with the PCI DSS Designated Entities Supplemental Validation.
Non-Compliant: Not all sections of the S-ROC for Designated Entities are complete, or one or more requirements are marked as Not in Place, resulting in an overall NON-COMPLIANT rating, thereby (Designated Entity Company Name) has not demonstrated compliance with PCI DSS Designated Entities Supplemental Validation requirements.
Modified
p. 5
An entity submitting this form with a status of Non-Compliant may be required to complete the Action Plan in Part 4 of this document. Check with the payment brand(s) before completing Part 4.
Target Date for Compliance: YYYY-MM-DD An entity submitting this form with a status of Non-Compliant status may be required to complete the Action Plan in Part 4 of this document. Confirm with the entity to which this S-AOC will be submitted before completing Part 4.
Modified
p. 5
Compliant but with Legal exception: One or more requirements are marked “Not in Place” due to a legal restriction that prevents the requirement from being met. This option requires additional review from acquirer or payment brand.
Compliant but with Legal exception: One or more requirements of the S-ROC for Designated Entities are marked “Not in Place” due to a legal restriction that prevents the requirement from being met and all other requirements are marked as being either In Place or Not Applicable, resulting in an overall COMPLIANT BUT WITH LEGAL EXCEPTION rating; thereby has demonstrated compliance with all PCI DSS Designated Entities Supplemental Validation requirements except those noted as Not in Place due to a legal …
Modified
p. 5
Affected Requirement Details of how legal constraint prevents requirement being met Part 3a. Acknowledgement of Status Signatory(s) confirms:
Affected Requirement Details of how legal constraint prevents requirement from
Modified
p. 5 → 6
(Select all that apply) The S-ROC for Designated Entities was completed according to PCI DSS Version 4.0 Appendix A3: Designated Entities Supplemental Validation and was completed according to the instructions therein.
Modified
p. 5 → 6
All information within the above-referenced S-ROC for Designated Entities and in this attestation fairly represents the results of my assessment in all material respects.
All information within the above-referenced S-ROC for Designated Entities and in this attestation fairly represents the results of the assessment in all material respects.
Modified
p. 5 → 6
PCI DSS Appendix A3: Designated Entities Supplemental Validation (DESV) controls will be maintained at all times, as applicable to the entity’s environment.
Modified
p. 6
Part 3c. Qualified Security Assessor (QSA) Acknowledgement (if applicable) If a QSA was involved or assisted with this assessment, describe the role performed:
Part 3c. Qualified Security Assessor (QSA) Acknowledgement If a QSA was involved or assisted with this Assessment, indicate the role performed:
Modified
p. 6
Signature of Duly Authorized Officer of QSA Company Date:
Signature of Duly Authorized Officer of QSA Company Date: YYYY-MM-DD Duly Authorized Officer Name: QSA Company:
Modified
p. 6
Part 3d. Internal Security Assessor (ISA) Involvement (if applicable) If an ISA(s) was involved or assisted with this assessment, identify the ISA personnel and describe the role performed:
Part 3d. Internal Security Assessor (ISA) Involvement If an ISA(s) was involved or assisted with this Assessment, indicate the role performed:
Removed
p. 7
Check with the applicable payment brand(s) before completing Part 4.
Modified
p. 7
Requirement Description of Requirement Compliant to DESV Requirements (Select One) Remediation Date and Actions (If “NO” selected for any Requirement) YES NO A3.1 Implement a PCI DSS compliance program A3.2 Document and validate PCI DSS scope Validate PCI DSS is incorporated into business-as-usual (BAU) activities A3.4 Control and manage logical access to the cardholder data environment A3.5 Identify and respond to suspicious events
Requirement Description of Requirement Compliant to DESV Requirements (Select One) Remediation Date and Actions (If “NO” selected for any Requirement) YES NO A3.1 PCI DSS compliance program is implemented.