Document Comparison
PCI_DSS_3%20x_ROC_RTs_FAQs_r1.pdf
→
PCI-DSS-v4-x-ROC-Template-FAQs-r2.pdf
11% similar
11 → 12
Pages
5186 → 3818
Words
30
Content Changes
From Revision History
- August 2024 ©2006 - 2024 PCI Security Standards Council, LLC. All Rights Reserved.
Content Changes
30 content changes. 19 administrative changes (dates, page numbers) hidden.
Added
p. 1
Payment Card Industry Data Security Standard
PCI DSS v4.x Report on Compliance Template - Frequently Asked Questions Revision 2
PCI DSS v4.x Report on Compliance Template - Frequently Asked Questions Revision 2
Added
p. 2
1. Overview of PCI DSS v4.x Reporting 1.1 What has changed in the PCI DSS v4.x ROC Template? Refer to the following documents for details:
• PCI DSS ROC Template Summary of Changes from ROC Template v4.0 to v4.0.1.
• PCI DSS v4.x ROC Template
• Frequently Asked Questions r1 (for updates to the PCI DSS v4.0 ROC Template).
• PCI DSS ROC Template Summary of Changes from ROC Template v4.0 to v4.0.1.
• PCI DSS v4.x ROC Template
• Frequently Asked Questions r1 (for updates to the PCI DSS v4.0 ROC Template).
Added
p. 2
ASSESSMENT APPROACH WHEN TO USE THIS APPROACH Customized Approach Focuses on the Customized Approach Objective of each PCI DSS Requirement (if applicable), allowing entities to implement controls to meet the requirement’s stated Customized Approach Objective in a way that does not strictly follow the defined requirement. The customized approach supports innovation in security practices, allowing entities greater flexibility to show how their current security controls meet PCI DSS requirements. Refer to the PCI DSS Requirements and Testing Procedures v4.x for the Customized Approach Objectives, included with each applicable requirement. Note: If used by the assessed entity, the assessor completes and includes Appendix E Customized Approach Template with the ROC. Note: Compensating Controls are not an option for the Customized Approach Defined Approach The traditional method for implementing and validating PCI DSS and uses the Requirements and Testing Procedures defined within the standard. The entity implements security controls to meet the …
Added
p. 4
These results are summarized in Section 1.8 Summary of Assessment.
Here is sample layout of Part II: Section 7 Findings and Observations that shows the headings and reporting options:
Requirement Description 1.1 Example Requirement Description
PCI DSS Requirement 1.1.1 Example Requirement Assessment Findings (select one) Select If below Method(s) Was Used In Place Not Applicable Not Tested Not in Place Compensating Control* Customized Approach* ☐ ☐ ☐ ☐ ☐ ☐ Describe why the assessment finding was selected. Note: Include all details as noted in the “Required Reporting” column of the table in Assessment Findings in the ROC Template Instructions. *As applicable, complete and attach the corresponding documentation (Appendix C, Appendix E, or both) to support the method(s) used.
Testing Procedures Reporting Instructions Reporting Details: Assessor’s Response 1.1.1.a Example testing procedure Example reporting instruction 1.1.1.b Example testing procedure Example reporting instruction
Here is sample layout of Part II: Section 7 Findings and Observations that shows the headings and reporting options:
Requirement Description 1.1 Example Requirement Description
PCI DSS Requirement 1.1.1 Example Requirement Assessment Findings (select one) Select If below Method(s) Was Used In Place Not Applicable Not Tested Not in Place Compensating Control* Customized Approach* ☐ ☐ ☐ ☐ ☐ ☐ Describe why the assessment finding was selected. Note: Include all details as noted in the “Required Reporting” column of the table in Assessment Findings in the ROC Template Instructions. *As applicable, complete and attach the corresponding documentation (Appendix C, Appendix E, or both) to support the method(s) used.
Testing Procedures Reporting Instructions Reporting Details: Assessor’s Response 1.1.1.a Example testing procedure Example reporting instruction 1.1.1.b Example testing procedure Example reporting instruction
Added
p. 5
Overall Assessment Result
• Compliant but with Legal Exception
• Non-Compliant The Assessment Findings in Part II shows the results for each individual PCI DSS requirement, and is one of the following:
• Not in Place 2.4 For the sample layout shown in Q 2.2, for “Select If Below Method(s) Was Used,” how does an assessor determine whether to select “Compensating Control” or “Customized Approach” for a requirement? If an entity has implemented a compensating control to meet some or all aspects of a requirement, “Compensating Control” is selected. In this case, the assessor has performed expected testing of the compensating control and selects the corresponding Assessment Finding that accurately represents the results of the testing. The assessor also completes and includes the Appendix C Compensating Controls Worksheet in in the PCI DSS v4.x ROC Template.
See PCI DSS v4.x Appendices B and C for more details about compensating controls.
If an entity has implemented …
• Compliant but with Legal Exception
• Non-Compliant The Assessment Findings in Part II shows the results for each individual PCI DSS requirement, and is one of the following:
• Not in Place 2.4 For the sample layout shown in Q 2.2, for “Select If Below Method(s) Was Used,” how does an assessor determine whether to select “Compensating Control” or “Customized Approach” for a requirement? If an entity has implemented a compensating control to meet some or all aspects of a requirement, “Compensating Control” is selected. In this case, the assessor has performed expected testing of the compensating control and selects the corresponding Assessment Finding that accurately represents the results of the testing. The assessor also completes and includes the Appendix C Compensating Controls Worksheet in in the PCI DSS v4.x ROC Template.
See PCI DSS v4.x Appendices B and C for more details about compensating controls.
If an entity has implemented …
Added
p. 8
• No CHD in the environment.
• Acquirer asks for a report only covering a subset of requirements (for example, using the PCI DSS Prioritized Approach).
Testing Assessor performs the appropriate testing and validation on all requirements. Any PCI DSS requirement where testing verifies the non- applicability of that requirement is marked as Not Applicable, which would NOT result in a Partial Assessment.
Assessor performs appropriate testing and validation only for the specified requirements. The remaining requirements are marked as Not Tested, which would result in a Partial Assessment.
5. General Questions 5.1 Is use of the ROC Template for PCI DSS v4.x mandatory? Yes. The PCI DSS ROC Template is mandatory for QSAs to use when documenting a detailed PCI DSS assessment (as contrasted with a less detailed PCI DSS self-assessment documented in a Self-Assessment Questionnaire (SAQ)). All response sections in the ROC Template must be completed (even if to note that sections …
• Acquirer asks for a report only covering a subset of requirements (for example, using the PCI DSS Prioritized Approach).
Testing Assessor performs the appropriate testing and validation on all requirements. Any PCI DSS requirement where testing verifies the non- applicability of that requirement is marked as Not Applicable, which would NOT result in a Partial Assessment.
Assessor performs appropriate testing and validation only for the specified requirements. The remaining requirements are marked as Not Tested, which would result in a Partial Assessment.
5. General Questions 5.1 Is use of the ROC Template for PCI DSS v4.x mandatory? Yes. The PCI DSS ROC Template is mandatory for QSAs to use when documenting a detailed PCI DSS assessment (as contrasted with a less detailed PCI DSS self-assessment documented in a Self-Assessment Questionnaire (SAQ)). All response sections in the ROC Template must be completed (even if to note that sections …
Added
p. 9
Other changes must be minimal and the format of the ROC Template for PCI DSS v4.x must remain unchanged. This includes reordering of sections, which is NOT allowed. Nothing is permitted to be removed from Parts I and II of the document, including sections or requirements determined to be not applicable. Those sections and/or requirements must remain in the completed ROC Template with the “Not Applicable” result documented instead. Edits to the footers are explicitly not allowed.
Added
p. 10
• Addition of Company logos and legal verbiage
• Changes to the customizable title page
• Changes to the page headers
• Additions of table rows
• Removal of the ROC Template PCI SSC cover page, the Document Changes table, the ROC Template Table of Contents, and ROC Template Instructions The following changes are prohibited:
• Edits to the footers
• Changes to the format of the ROC Template for PCI DSS v4.x
• Reordering or removal of sections or requirements
• Removal of any content from Parts I and II including reporting instructions in those sections The following should be considered when making changes:
• Ensure that any content added by the QSA is clearly distinguishable from the content that is part of the published PCI SSC document. All additions should be considered carefully, and such content should be added only to the customizable title page of the document.
• Changes to the customizable title page
• Changes to the page headers
• Additions of table rows
• Removal of the ROC Template PCI SSC cover page, the Document Changes table, the ROC Template Table of Contents, and ROC Template Instructions The following changes are prohibited:
• Edits to the footers
• Changes to the format of the ROC Template for PCI DSS v4.x
• Reordering or removal of sections or requirements
• Removal of any content from Parts I and II including reporting instructions in those sections The following should be considered when making changes:
• Ensure that any content added by the QSA is clearly distinguishable from the content that is part of the published PCI SSC document. All additions should be considered carefully, and such content should be added only to the customizable title page of the document.
Added
p. 11
• After the table of contents at the beginning of the document, the following disclaimer must be included in both in English and the translated language: "Note
Added
p. 12
Note
• Requirements that are future-dated are considered as best practices until the future date is reached. During this time, organizations are not required to validate to future-dated requirements. While validation is not required, organizations that have implemented controls to meet the new requirements and are ready to have the controls assessed prior to the stated future date are encouraged to do so. Once the designated future date is reached, all future-dated requirements become effective and applicable.
6. Account data storage 6.1 My client feels that the Storage of Account Data table in the completed ROC combines a lot of sensitive data into one document. How can I address their concerns, but complete the ROC Template appropriately? It is acceptable in the ROC Template at 4.3 for the QSA to attest that the storage of account data has been separately documented according to 4.3 and to include a document reference to identify …
• Requirements that are future-dated are considered as best practices until the future date is reached. During this time, organizations are not required to validate to future-dated requirements. While validation is not required, organizations that have implemented controls to meet the new requirements and are ready to have the controls assessed prior to the stated future date are encouraged to do so. Once the designated future date is reached, all future-dated requirements become effective and applicable.
6. Account data storage 6.1 My client feels that the Storage of Account Data table in the completed ROC combines a lot of sensitive data into one document. How can I address their concerns, but complete the ROC Template appropriately? It is acceptable in the ROC Template at 4.3 for the QSA to attest that the storage of account data has been separately documented according to 4.3 and to include a document reference to identify …
Removed
p. 1
Payment Card Industry (PCI) Data Security Standard Frequently Asked Questions for use with ROC Reporting Template for PCI DSS v3.x
Removed
p. 3
Frequently Asked Questions (FAQs) Purpose of document This document addresses questions around the use of the ROC Reporting Template for PCI DSS v3.x (PCI Template for Report on Compliance, for use with PCI DSS v3.x).
Q 1 Is use of the ROC Reporting Template for PCI DSS v3.x mandatory? A The ROC Reporting Template for PCI DSS is mandatory for use by QSAs assessing against PCI DSS. Requirements for ISAs and reporting should be discussed with the brands and/or acquirers accepting the Report on Compliance. An assessment against v3.x of the PCI DSS by a QSA must be completed using this Reporting Template, with all grey boxes and response sections completed (even if to note it is not applicable).
Q 2 I'm confused about when to use which document versions and how to pair them up. Please explain it as simply as possible. When you assess against 3.x, you need to use …
Q 1 Is use of the ROC Reporting Template for PCI DSS v3.x mandatory? A The ROC Reporting Template for PCI DSS is mandatory for use by QSAs assessing against PCI DSS. Requirements for ISAs and reporting should be discussed with the brands and/or acquirers accepting the Report on Compliance. An assessment against v3.x of the PCI DSS by a QSA must be completed using this Reporting Template, with all grey boxes and response sections completed (even if to note it is not applicable).
Q 2 I'm confused about when to use which document versions and how to pair them up. Please explain it as simply as possible. When you assess against 3.x, you need to use …
Modified
p. 3 → 9
Contact your Program Manager directly if you cannot access the Assessor Portal. A PDF version of the ROC Reporting Template for PCI DSS v3 is available on the PCI SSC website for non- assessor inquiries.
Contact your Program Manager directly if you cannot access the Assessor Portal. A PDF version of the ROC Template for PCI DSS v4.x is available on the PCI SSC website for non-assessor inquiries.
Removed
p. 4
The addition of content, such as legal verbiage, is allowed. PCI SSC would request that QSAs ensure there is reasonable distinction that the content has been added by the QSA and is not part of the published PCI SSC document. PCI SSC would also advise that such additions be considered carefully and such content should be added in the form of addendums to the document, with references to the addendum places with the report.
Q 5 Can our company use our reporting tool to generate the report (such as a PDF generated from HTML), provided that the look and the content closely follow the original? A PCI SSC will allow this, but with the understanding that what your reporting tool produces must include all content from the Reporting Template and look just like the PCI SSC Reporting Template. If it cannot do that, do not use the tool and report directly …
Q 5 Can our company use our reporting tool to generate the report (such as a PDF generated from HTML), provided that the look and the content closely follow the original? A PCI SSC will allow this, but with the understanding that what your reporting tool produces must include all content from the Reporting Template and look just like the PCI SSC Reporting Template. If it cannot do that, do not use the tool and report directly …
Modified
p. 4 → 10
• The entities to which a ROC is submitted (payment brands and/or acquirers) may choose not to accept any report that has changes to the ROC Template they believe are unacceptable.
Modified
p. 4 → 11
• QSA must provide both PCI SSC's English version and QSA’s translated version to customers/end-users, noting that the English version from PCI SSC governs in the event of any conflict.
Removed
p. 5
Q 9 What happened to the Reporting Methodology instructions and checkmarks that were in the Reporting Instructions for PCI DSS v2.0, but appear to be missing from the ROC Reporting Template for PCI DSS v3.x? A PCI SSC removed the Reporting Methodology instructions and checkmark columns after determining they were no longer necessary for ROC Reporting Template for PCI DSS v3.x due to the extensive changes that were made between the Reporting Instructions for 2.0 and the Reporting Template for 3.0.
The Reporting Instructions within the ROC Reporting Template for PCI DSS v3.x, in support of the enhanced Testing Requirements in PCI DSS v3.x, are explicit in what methodology is expected to be in use. By including a more precise Reporting Instruction directly in the Reporting Template next to the Testing Procedure, expectations regarding methodologies used to complete tests required are self-evident.
Q 10 Have requirements for work papers and retention of …
The Reporting Instructions within the ROC Reporting Template for PCI DSS v3.x, in support of the enhanced Testing Requirements in PCI DSS v3.x, are explicit in what methodology is expected to be in use. By including a more precise Reporting Instruction directly in the Reporting Template next to the Testing Procedure, expectations regarding methodologies used to complete tests required are self-evident.
Q 10 Have requirements for work papers and retention of …
Removed
p. 6
Q 13 If my QSA company is audited in 2016 or 2017, will we be audited using reports against only the most recent published standard? A Any audits will continue to employ a sampling of completed reports, which could include 3.1 and 3.2 reporting. It is important to continue to strive for quality reporting when assessing against both standards, and the expectations around 3.2 have not changed. Assessors should be prepared to be audited for any work they’ve completed, including reporting, work papers, and similar. The company will receive feedback no matter what version of reporting is used.
Q 14 My company has already begun assessing against the newest version and we’ve come up with a report. Can AQM or someone at the PCI SSC take a look at it and tell me if the reporting is acceptable? A Consulting is not an offering that AQM or PCI SSC can provide …
Q 14 My company has already begun assessing against the newest version and we’ve come up with a report. Can AQM or someone at the PCI SSC take a look at it and tell me if the reporting is acceptable? A Consulting is not an offering that AQM or PCI SSC can provide …
Removed
p. 7
Q 17 Where a testing procedure includes sampling of system components, should a list of host names or IP addresses be included in the response? A As explained in the “ROC Reporting Details” section, the assessor should identify the number and type of items included in each sample. It is not necessary to identify or name every sampled system component in the ROC; however, assessors may provide a list if it improves clarity or better explains the findings for some environments.
Irrespective of whether system component names are recorded in the ROC, the assessor must maintain a detailed record of each sampled component in their work papers, and provide full details of their sampling methodology in Section 3 of the ROC, “Description of Scope of Work and Approach Taken.”
Q 18 How will the “appropriateness” of a sample be measured? A The details required in Section 3 of the ROC, “Description of …
Irrespective of whether system component names are recorded in the ROC, the assessor must maintain a detailed record of each sampled component in their work papers, and provide full details of their sampling methodology in Section 3 of the ROC, “Description of Scope of Work and Approach Taken.”
Q 18 How will the “appropriateness” of a sample be measured? A The details required in Section 3 of the ROC, “Description of …
Modified
p. 8 → 6
In Place The expected testing has been performed, and all elements of the requirement have been met as stated.
Response When to use this response: In Place The expected testing has been performed, and all elements of the requirement have been met.
Modified
p. 8 → 6
Not in Place Some or all elements of the requirement have not been met, or are in the process of being implemented, or require further testing before it will be known if they are in place.
Not in Place Some or all elements of the requirement have not been met, are in the process of being implemented, or require further testing before it will be known if they are In Place.
Modified
p. 8 → 6
Not Applicable (N/A) The requirement does not apply to the organization’s environment.
Modified
p. 8 → 6
(See “What is the difference between “Not Applicable” and “Not Tested”?” below at 4.2 for examples of when this option should be used.)
Modified
p. 8 → 7
If a requirement is completely excluded from review without any consideration as to whether it could apply, the “Not Tested” option should be selected. Examples of situations where this could occur may include:
If a requirement is completely excluded from review without any consideration as to whether it could apply, the Not Tested option must be selected. Examples of situations where this could occur may include:
Modified
p. 8 → 7
• An organization may be asked by their acquirer to validate a subset of requirements example: using the prioritized approach to validate certain milestones.
• An organization may be asked by their acquirer or brand to validate a subset of requirements •for example, using the PCI DSS Prioritized Approach to address only certain milestones.
Modified
p. 8 → 7
• A service provider organization might offer a service that covers only a limited number of
• A service provider organization might offer a service that covers only a limited number of PCI DSS requirements
•for example, a physical storage provider may want to validate only the physical security controls per PCI DSS Requirement 9 for their storage facility.
•for example, a physical storage provider may want to validate only the physical security controls per PCI DSS Requirement 9 for their storage facility.
Modified
p. 8
PCI DSS requirements•for example, a physical storage provider may only wish to validate the physical security controls per PCI DSS Requirement 9 for their storage facility.
• A service provider organization offers a service that covers only a limited number of PCI DSS requirements-for example, a physical storage provider that wants to validate only the physical security controls per PCI DSS Requirement 9 for their storage facility.
Removed
p. 9
Q 23 Can an AOC be marked “Compliant” if the assessment includes a “Not Tested” response? No. “Not Tested” indicates that the assessment was only partially completed. At no point should the AOC for completion of a partial assessment indicate an organization’s full compliance with PCI DSS. Therefore, any assessment that includes a “Not Tested” response must be marked as non-compliant in the related AOC.
Q 24 Can you clarify the difference in “Not Applicable” versus “Not Tested” for a scenario such as a cloud services (Infrastructure as a Service) provider? In that case, the service provider would not be responsible for applications or other aspects that the customer is responsible for. Are those N/A or not tested? A First, consider the guidance that if a requirement was considered and tested to confirm it is not applicable, it is “not applicable.” If the requirement is excluded from review and/or testing without …
Q 24 Can you clarify the difference in “Not Applicable” versus “Not Tested” for a scenario such as a cloud services (Infrastructure as a Service) provider? In that case, the service provider would not be responsible for applications or other aspects that the customer is responsible for. Are those N/A or not tested? A First, consider the guidance that if a requirement was considered and tested to confirm it is not applicable, it is “not applicable.” If the requirement is excluded from review and/or testing without …
Removed
p. 10
Note: The March 2014 version of this FAQ noted the following example for “Not Applicable” in error; dependence on other entity’s PCI Compliance is deemed “In Place” with a narrative similar to the below reflecting review of the contract and confirmation of PCI Compliance via review of the corresponding AOC. On the other side of this, if I use a hosting provider and my compliance for some requirements is based on their PCI compliance, there is still some testing
•in that the QSA will still ensure contracts reflect that responsibility, the ROC or AOC will be reviewed to ensure it covers this responsibility
•and the “In Place” response will reflect that testing. You might end up with a response like "In Place. QSA confirmed contract dated xx/xx notes this as responsibility of SP Y. Reviewed AOC of SP Y, confirmed they are PCI Compliant against 2.0 as of yy/yy."
Q 25 Are future-dated …
•in that the QSA will still ensure contracts reflect that responsibility, the ROC or AOC will be reviewed to ensure it covers this responsibility
•and the “In Place” response will reflect that testing. You might end up with a response like "In Place. QSA confirmed contract dated xx/xx notes this as responsibility of SP Y. Reviewed AOC of SP Y, confirmed they are PCI Compliant against 2.0 as of yy/yy."
Q 25 Are future-dated …
Removed
p. 11
Q 27 The AOC for merchants has no mention of which or how many requirements were "not tested." Why? Doesn’t this mean that a merchant can "not test" many items and not make it clear as to how thorough their assessment was? A Because the compliance of entities are often dependent on the compliance of service providers, there was a clear need to provide more information within the AOC for Service Providers regarding which requirements were not tested, etc., based on the feedback we received from the community. Merchants, however, are less likely to be taking on responsibility for requirements for entities in this manner, and therefore this level of reporting isn't necessary in the AOC for Merchants. Remember, compliance is determined by the brands and acquirers, and any intention to not test requirements should be discussed with them. The addition of "Not Tested" is not intended to make requirements …