Written by: David Magnotta
The Payment Card Industry Security Standards Council (PCI SSC) has recently decided to implement changes related to the newly released Payment Card Industry Data Security Standard (PCI DSS) version 4.0 due to feedback, effective immediately. The Council has decided to remove the “In Place with Remediation” reporting option from the following reporting documents: Version 4.0 Report on Compliance (ROC) Templates, Attestations of Compliance (AOC), and Self-Assessment Questionnaire (SAQs). These documents have all been updated and can be found in the PCI Security Standards Council website in the Document Library.
This reporting option was originally created to document controls that were not in place at a point in time during testing but were amended with sufficient control evidence and in place by the end of the assessment. It was intended to address potential areas of improvement for entities moving forward in future testing and promote PCI security as an ongoing process. However, there were growing concerns that this could lead to varying degrees of compliance within PCI DSS, and contractual issues for service providers documented as having insufficient controls at a point in time of the assessment.
Instead, the Council has decided to forgo this option and has created a separate worksheet to be filled out by Qualified Security Assessors (QSAs) to document any potential areas of improvement. This change is strictly related to reporting and will not have any effect on the PCI DSS Standard. For any ongoing or recently completed version 4.0 assessments the Council recommends the entity reach out to their specific payment brand to determine next steps.
For an overview of PCI DSS v4, watch our on-demand webinar, “PCI DSS V4 – What You Need to Know.”
