Diff: FAQ #1382
Can a partial PCI DSS assessment be documented in a Report on Compliance (ROC)?
Earlier Version
Later Version
Removed
Added
Yes. Where an entity wishes to perform awants its assessor to conduct a PCI DSS assessment against only a subset of PCI DSS requirements, it is acceptable to document this partial PCI DSS assessment againstusing the Report on Compliance (ROC). The Attestation of Compliance (AOC) is also completed after a PCI DSS assessment to summarize and attest to the results of the assessment.
There are a number of reasons why an entity may want to undergo a partial assessment, including:
An entity only needs to validate a subset ofPCI DSS requirements, it is acceptable to document such an assessmentrequirements to their acquirer (for example, using the Report on Compliance (ROC). Such resulting reports are commonly referred to as a ?Partial ROC? and often indicate the entity being assessed has yet to reach full compliance against PCI DSS. The Attestation of Compliance (AOC) may also be completed after the finalized partial ROC to demonstrate compliant findings.
There are a number of reasons why an entity may wish to perform a partial assessment, such as:
- An entitymayprioritized approach to validate only need to validate a subset of requirements to their acquirer (e.g., using the prioritized approach to validate certain milestones);
- An entity may wishwants to validate a new security control that impacts only a subset of requirements (e.g.,(for example, a new encryption methodology requiring assessment to PCI DSS Requirements 3 and 4);
- An entity may offer aA service that addressesprovider identifies which PCI DSS requirements are included in the scope of their service offering and only a limited number of PCI DSS requirements (e.g., awants those covered in the assessment (for example, a data center hosting provider only wisheswants to validate physical security controls per PCI DSS Requirement 9 for their hosting facility);
- An entity with an environmentDuring a Token Service Provider (TSP) engagement, the TSP assessor determines that fully meets all the eligibility criteria defined in a particular SAQ may use that SAQ as a reference to identify the applicable PCI DSS requirements for that environment.
- During a Token Service Provider engagement, the TSP assessor may determine thata partial ROC needs to be completed toPCI DSS assessment will adequately address the additional considerations for PCI DSS Requirements 1-12 that affect TSPs.
When documenting such an assessment, the assessorwillis expected to clearly communicate that testing of all requirements has not been performed by documenting which specific requirements were tested and which were not tested within both the ROC and the AOC. It
The PCI DSS ROC Template provides detailed instructions on how to properly define the scope of the assessment, and how to properly document the findings from the testing performed, including the difference between "Not Tested" and "Not Applicable" responses. Accurate documentation of assessment activities performed and related findings provides readers of the report a clear understanding of the report and removes any ambiguity about the scope of the assessment review.
Note that whether a "Not Tested" response can result in PCI DSS compliance isimperative that the assessor clearly define the scope of the assessmenttreated differently between PCI DSS v3.2.1 and v4.0 - QSAs must refer to the ROC Template and ROC Template FAQs for the version of the standard being used for relevant guidance.
See also:
FAQ 1473: What is the role of compliance-accepting entities and assessors inthe Summary Overview of the ROC anddetermining the applicability of PCI DSS requirements for merchant and service provider PCI DSS assessments?
FAQ 1331: Can SAQ eligibility criteria be used as a guide for determining applicability of PCI DSS requirements for merchant assessments inrelevant sections of the AOC. Once the scope of the assessment has been documented, the assessor must ensure that the remainder of the ROC and AOC are consistent with the Summary Overview. At no point, should the AOC for the completion of a partial assessment indicate an organization?s full compliance with PCI DSS.
The PCI DSS ROC Reporting Instructions provide detailed instructiona Report on how to properly document the findings from the testing performed, including the difference between ?Not Tested? and ?Not Applicable? finding. Accurate documentation of assessment activities performed and related findings allows any individual who reads the report to have a clear understanding of the report and remove any ambiguity of the scope of the assessment review.Compliance?
There are a number of reasons why an entity may want to undergo a partial assessment, including:
An entity only needs to validate a subset of
There are a number of reasons why an entity may wish to perform a partial assessment, such as:
- An entitymay
- During a Token Service Provider engagement, the TSP assessor may determine that
When documenting such an assessment, the assessor
The PCI DSS ROC Template provides detailed instructions on how to properly define the scope of the assessment, and how to properly document the findings from the testing performed, including the difference between "Not Tested" and "Not Applicable" responses. Accurate documentation of assessment activities performed and related findings provides readers of the report a clear understanding of the report and removes any ambiguity about the scope of the assessment review.
Note that whether a "Not Tested" response can result in PCI DSS compliance is
See also:
FAQ 1473: What is the role of compliance-accepting entities and assessors in
FAQ 1331: Can SAQ eligibility criteria be used as a guide for determining applicability of PCI DSS requirements for merchant assessments in
The PCI DSS ROC Reporting Instructions provide detailed instruction