Document Comparison
PCI_DSS_3_0_ROC_RTs_FAQs.pdf
→
PCI-DSS-3x-ROC-RTs-FAQs.pdf
74% similar
11 → 10
Pages
5137 → 5054
Words
24
Content Changes
Content Changes
24 content changes. 17 administrative changes (dates, page numbers) hidden.
Added
p. 5
Q 13 If my QSA company is audited in 2016 or 2017, will we be audited using reports against only the most recent published standard? A Any audits will continue to employ a sampling of completed reports, which could include 3.1 and 3.2 reporting. It is important to continue to strive for quality reporting when assessing against both standards, and the expectations around 3.2 have not changed. Assessors should be prepared to be audited for any work they’ve completed, including reporting, work papers, and similar. The company will receive feedback no matter what version of reporting is used.
Q 14 My company has already begun assessing against the newest version and we’ve come up with a report. Can AQM or someone at the PCI SSC take a look at it and tell me if the reporting is acceptable? A Consulting is not an offering that AQM or PCI SSC can provide …
Q 14 My company has already begun assessing against the newest version and we’ve come up with a report. Can AQM or someone at the PCI SSC take a look at it and tell me if the reporting is acceptable? A Consulting is not an offering that AQM or PCI SSC can provide …
Added
p. 9
Note
• while future-dated requirements can be considered Not Applicable until the effective date has passed, an organization may already have implemented controls to meet the requirement. In such scenarios where the requirement is in place, the assessor should perform testing and if verified to be in place, can report the finding as “In Place.”
Note
• this information was available in the August 2011 Assessor Newsletter.
• while future-dated requirements can be considered Not Applicable until the effective date has passed, an organization may already have implemented controls to meet the requirement. In such scenarios where the requirement is in place, the assessor should perform testing and if verified to be in place, can report the finding as “In Place.”
Note
• this information was available in the August 2011 Assessor Newsletter.
Modified
p. 2
Frequently Asked Questions (FAQs) Purpose of document This document addresses questions around the use of the ROC Reporting Template for PCI DSS v3.x (PCI Template for Report on Compliance, for use with PCI DSS v3.0 and subsequent versions against 3.x).
Frequently Asked Questions (FAQs) Purpose of document This document addresses questions around the use of the ROC Reporting Template for PCI DSS v3.x (PCI Template for Report on Compliance, for use with PCI DSS v3.x).
Modified
p. 2
Q 1 Is use of the ROC Reporting Template for PCI DSS v3.x mandatory? A The ROC Reporting Template for PCI DSS v3.x is mandatory for use by QSAs assessing against PCI DSS v3.x. Requirements for ISAs and reporting should be discussed with the brands and/or acquirers accepting the Report on Compliance. An assessment against v3.x of the PCI DSS by a QSA must be completed using this Reporting Template, with all grey boxes and response sections completed (even if …
Q 1 Is use of the ROC Reporting Template for PCI DSS v3.x mandatory? A The ROC Reporting Template for PCI DSS is mandatory for use by QSAs assessing against PCI DSS. Requirements for ISAs and reporting should be discussed with the brands and/or acquirers accepting the Report on Compliance. An assessment against v3.x of the PCI DSS by a QSA must be completed using this Reporting Template, with all grey boxes and response sections completed (even if to note …
Modified
p. 2
Q 3 Where can I find the unlocked Microsoft Word version of the ROC Reporting Template for PCI DSS v3.x? A The most up-to-date unlocked Microsoft Word version of the ROC Reporting Template for PCI DSS v3.x is available on the Assessor Portal (www.programs.pcissc.org) for assessors to download. Please be sure to download a clean copy before each assessment, as there may be subsequent changes to the ROC Reporting Template for PCI DSS v3.x during the PCI DSS v3 lifecycle.
Q 3 Where can I find the unlocked Microsoft Word version of the ROC Reporting Template for PCI DSS v3.x? A The most up-to-date unlocked Microsoft Word version of the ROC Reporting Template for PCI DSS v3.x is available on the Assessor Portal (www.programs.pcissc.org) for assessors to download. Please be sure to download a clean copy before each assessment, as there may be subsequent changes to the ROC Reporting Template for PCI DSS v3.x during the PCI DSS v3 lifecycle. …
Modified
p. 2
Q 4 Can a QSA company make personalization-type changes to the ROC Reporting Template for PCI DSS v3.x and, if so, what are the limitations? A PCI SSC recognizes the need for personalization changes by the QSA to the ROC Reporting Template for PCI DSS v3.x, such as the addition of company logos (preferably limited to the title page) and addition of legal verbiage. Changes must be minimal and the format of the ROC Reporting Template for PCI DSS v3.x …
Q 4 Can a QSA company make personalization-type changes to the ROC Reporting Template for PCI DSS v3.x and, if so, what are the limitations? A While PCI SSC recognizes the need for personalization changes by the QSA to the ROC Reporting Template for PCI DSS v3.x, such as the addition of company logos and addition of legal verbiage, stakeholder feedback has indicated that a stricter stance on personalization is needed.
Modified
p. 3
Q 6 Before I give the final report to my client, can I remove the instruction column? I want it to look as professional as possible. A Do not remove any column from the report, particularly this column. The premise of allowing QSAs to provide these sorts of answers is based on the context the instructions in that column provide. Without the column, the responses are not worth much and really would not make sense. Assessor Quality Management (AQM) believes …
Q 6 Before I give the final report to my client, can I remove the instruction column? I want it to look as professional as possible. A No, do not remove any column from the report. The premise of allowing QSAs to provide these sorts of answers is based on the context the instructions in that column provide. Without the column, the responses lack that context and really would not make sense. Assessor Quality Management (AQM) believes that your client …
Modified
p. 4 → 5
Q 12 The instructions for “3.1 Assessor’s validation of scope accuracy” seem inconsistent with the critical distinction that PCI DSS establishes, which is that scope definition is the responsibility of the entity, and that the assessor verifies that the scope was defined properly. Has that changed? A It is true that the assessor is tasked with verifying the scope has been defined properly, and that the scope definition in many cases is set by the assessed entity separate from the …
Q 15 The instructions for “3.1 Assessor’s validation of scope accuracy” seem inconsistent with the critical distinction that PCI DSS establishes, which is that scope definition is the responsibility of the entity, and that the assessor verifies that the scope was defined properly. Has that changed? A It is true that the assessor is tasked with verifying the scope has been defined properly, and that the scope definition in many cases is set by the assessed entity separate from the …
Modified
p. 5
Q 13 How does using a PA-DSS validated application affect the scope of a merchant’s PCI DSS assessment? A Applications that are PA-DSS validated have been assessed by a PA-QSA as meeting all PA- DSS requirements. This means the application, when properly installed and configured in the cardholder data environment, is capable of supporting the merchant’s PCI DSS compliance.
Q 16 How does using a PA-DSS validated application affect the scope of a merchant’s PCI DSS assessment? A Applications that are PA-DSS validated have been assessed by a PA-QSA as meeting all PA- DSS requirements. This means the application, when properly installed and configured in the cardholder data environment, is capable of supporting the merchant’s PCI DSS compliance.
Modified
p. 5 → 6
Q 14 Where a testing procedure includes sampling of system components, should a list of host names or IP addresses be included in the response? A As explained in the “ROC Reporting Details” section, the assessor should identify the number and type of items included in each sample. It is not necessary to identify or name every sampled system component in the ROC; however, assessors may provide a list if it improves clarity or better explains the findings for some …
Q 17 Where a testing procedure includes sampling of system components, should a list of host names or IP addresses be included in the response? A As explained in the “ROC Reporting Details” section, the assessor should identify the number and type of items included in each sample. It is not necessary to identify or name every sampled system component in the ROC; however, assessors may provide a list if it improves clarity or better explains the findings for some …
Modified
p. 5 → 6
Q 15 How will the “appropriateness” of a sample be measured? A The details required in Section 3 of the ROC, “Description of Scope of Work and Approach Taken,” provide the assessor’s justification of why the samples chosen are appropriate.
Q 18 How will the “appropriateness” of a sample be measured? A The details required in Section 3 of the ROC, “Description of Scope of Work and Approach Taken,” provide the assessor’s justification of why the samples chosen are appropriate.
Modified
p. 5 → 6
Q 16 Is a complete itemized list of every hardware device, either by IP address or hostname, required for the “List of Hardware” in the “Details about Reviewed Environment” section of the ROC? A A list detailing every individual IP address and/or hostname is not required for the ROC. The List of Hardware should identify each type of hardware used in the cardholder data environment as defined in the “ROC Reporting Details” column. However, assessors are expected to maintain a …
Q 19 Is a complete itemized list of every hardware device, either by IP address or hostname, required for the “List of Hardware” in the “Details about Reviewed Environment” section of the ROC? A A list detailing every individual IP address and/or hostname is not required for the ROC. The List of Hardware should identify each type of hardware used in the cardholder data environment as defined in the “ROC Reporting Details” column. However, assessors are expected to maintain a …
Modified
p. 6
Q 17 My client does not want to have the cardholder data storage table included in the completed ROC, as they feel it puts too much secure data into one document. How can I address their concerns, but complete the ROC Template appropriately? A In this case, it may make sense to put a document reference in the ROC Template at 4.3 for the QSA to attest that the cardholder data storage has been documented according to 4.3 and identify …
Q 20 My client does not want to have the cardholder data storage table included in the completed ROC, as they feel it puts too much secure data into one document. How can I address their concerns, but complete the ROC Template appropriately? A In this case, it may make sense to put a document reference in the ROC Template at 4.3 for the QSA to attest that the cardholder data storage has been documented according to 4.3 and identify …
Modified
p. 7
Q 18 When determining which one of the summary findings is appropriate for a sub-requirement, is there any more guidance available on those options beyond what is in the “Introduction to the ROC Template” section of the ROC Reporting Template for PCI DSS v3.x? A The following table is a helpful supplement to the explanation provided within the ROC Reporting Template for PCI DSS v3.x. Remember, only one response should be selected at the sub- requirement.
Q 21 When determining which one of the summary findings is appropriate for a sub-requirement, is there any more guidance available on those options beyond what is in the “Introduction to the ROC Template” section of the ROC Reporting Template for PCI DSS v3.x? A The following table is a helpful supplement to the explanation provided within the ROC Reporting Template for PCI DSS v3.x. Remember, only one response should be selected at the sub- requirement.
Modified
p. 7
In Place w/ CCW (Compensating Control Worksheet) The expected testing has been performed, and the requirement has been met with the assistance of a compensating control.
In Place w/ CCW (Compensating Control Worksheet) The expected testing has been performed, and the requirement has been met with the assistance of a compensating control. All responses in this column require completion of a Compensating Control Worksheet (CCW) Information on the use of compensating controls and guidance on how to complete the worksheet is provided in the PCI DSS.
Modified
p. 7
(Not Applicable) The requirement does not apply to the organization’s environment.
(Not Applicable) The requirement does not apply to the organization’s environment. All “not applicable” responses require reporting on testing performed to confirm the “not applicable” status.
Modified
p. 7
Q 19 What is the difference between “Not Applicable” and “Not Tested”? A Requirements that are deemed to be not applicable to an environment must be verified as such. Using the example of wireless and an organization that does not use wireless technology in any capacity, an assessor could select “N/A” for Requirements 1.2.3, 2.1.1, and 4.1.1, after the assessor confirms that there are no wireless technologies used in their CDE or that connect to their CDE via assessor testing. …
Q 22 What is the difference between “Not Applicable” and “Not Tested”? A Requirements that are deemed to be not applicable to an environment must be verified as such. Using the example of wireless and an organization that does not use wireless technology in any capacity, an assessor could select “N/A” for Requirements 1.2.3, 2.1.1, and 4.1.1, after the assessor confirms that there are no wireless technologies used in their CDE or that connect to their CDE via assessor testing. …
Modified
p. 8
Q 20 Can you clarify the difference in “Not Applicable” versus “Not Tested” for a scenario such as a cloud services (Infrastructure as a Service) provider? In that case, the service provider would not be responsible for applications or other aspects that the customer is responsible for. Are those N/A or not tested? First, consider the guidance that if a requirement was considered and tested to confirm it is not applicable, it is “not applicable.” If the requirement is excluded …
Q 23 Can you clarify the difference in “Not Applicable” versus “Not Tested” for a scenario such as a cloud services (Infrastructure as a Service) provider? In that case, the service provider would not be responsible for applications or other aspects that the customer is responsible for. Are those N/A or not tested? A First, consider the guidance that if a requirement was considered and tested to confirm it is not applicable, it is “not applicable.” If the requirement is …
Removed
p. 9
Q 22 There appear to be several typos or issues with instructions in a couple places. Are there plans to remedy these soon and what do we do in the meantime? A AQM has published an updated version of the 3.0 templates to the Portal, as was always the intention, and will continue to publish subsequent revisions. It was a large endeavor to create these documents, and despite our best efforts, we knew some corrections would need to be made. Some are simply mistakes, such as the example of 6.4.4.b and 8.7.b in the Reporting Template for 3.0, version 1.0 where the wrong word appears in the instruction. As mentioned before, the intent for how to handle future-dated requirements as "not applicable" was a change made after publication and that needs to be remedied. Please continue to send such feedback to the Program Managers so we may fix it, and …
Modified
p. 9
Note: The March 2014 version of this FAQ noted the following example for “Not Applicable” in error; dependence on other entity’s PCI Compliance is deemed “In Place” with a narrative similar to the below reflecting review of the contract and confirmation of PCI Compliance via review of the corresponding AOC. On the other side of this, if I use a hosting provider and my compliance for some requirements is based on their PCI compliance, there is still some testing
•in that …
•in that …
Note: The March 2014 version of this FAQ noted the following example for “Not Applicable” in error; dependence on other entity’s PCI Compliance is deemed “In Place” with a narrative similar to the below reflecting review of the contract and confirmation of PCI Compliance via review of the corresponding AOC. On the other side of this, if I use a hosting provider and my compliance for some requirements is based on their PCI compliance, there is still some testing
•in that …
•in that …
Modified
p. 9
Q 21 Are future-dated requirements considered “Not Applicable” or “Not Tested”? The instructions in the ROC Reporting Template for PCI DSS v3.0 seem to conflict on this. A An update to the ROC Reporting Template for PCI DSS v3.0 has clarified this, as the original instructions have been determined to not reflect effectively the result. While it is true that the requirement is likely not tested (hence the original instructions), it is not required to be tested until the future …
Q 24 Are future-dated requirements considered “Not Applicable” or “Not Tested”? A While it is true that the requirement is likely not tested (hence the original instructions), it is not required to be tested until the future date has passed, and the requirement is therefore not applicable until that date. As such, a “Not Applicable” response to future-dated requirements is accurate, whereas a “Not Tested” response would imply there was not any consideration as to whether it could apply (and …
Modified
p. 9
Q 23 I am curious why the “N/A” is grayed out for 3.2.1. I can see situations (physical security facility) that might look at this question as N/A since the client would be responsible for the application and database. A There is not a change in intent here, and was addressed in the August 2011 Assessor Update Newsletter. Some of the highlights follow, but please refer back to that publication:
Q 25 I am curious why the “N/A” is grayed out for 3.2.1. I can see situations (physical security facility) that might look at this question as N/A since the client would be responsible for the application and database. A There is not a change in intent here. Some of the highlights follow:
Removed
p. 10
Q 24 What is the intent of having the QSA name in several sections of the report within the requirements, such as the "Provide the name of the assessor who confirms that…" instructions? A AQM gave each response instruction close consideration and did not want to encourage reporting for the sake of reporting. In most places, there were details the assessor could provide that would not boil down to "yes/no" or repeating of the testing procedure, but that was not the case for all. In the requirements where it was determined that no additional useful reporting was likely, we determined this "signature" was a better course of action. The consistency of using the assessor's name as an attestation is deemed stronger than a simple "yes" or "checkmark."
Q 25 If my company is audited in 2014, will we be audited using reports against 2.0, 3.x, or both? A Any audits will …
Q 25 If my company is audited in 2014, will we be audited using reports against 2.0, 3.x, or both? A Any audits will …
Modified
p. 11 → 10
Q 28 Regarding the AOC for Service Providers, v3.x, are you planning to issue definitions for the services listed or similar guidance? A There are no plans at this time for formal definitions for these services by PCI SSC. As noted in Part 2 of the AOC for Service Providers, v3.x: “Note: These categories are provided for assistance only, and are not intended to limit or predetermine an entity’s service description. If you feel these categories don’t apply to your …
Q 27 Regarding the AOC for Service Providers, v3.x, are you planning to issue definitions for the services listed or similar guidance? A There are no plans at this time for formal definitions for these services by PCI SSC. As noted in Part 2 of the AOC for Service Providers, v3.x: “Note: These categories are provided for assistance only, and are not intended to limit or predetermine an entity’s service description. If you feel these categories don’t apply to your …