Transcription
Payment Card Industry (PCI)Data Security StandardSupplemental Report on Compliance –Designated EntitiesReporting Template for use with the PCI DSSDesignated Entities Supplemental ValidationRevision 1.0June 2015
Document ChangesDateVersionDescriptionTo introduce the template for submitting Supplemental Reports on Compliance for DesignatedEntities.June 2015Revision1.0This document is intended for use with version 1.0 of the PCI DSS Designated EntitiesSupplemental Validation.Reporting Template for use with the PCI DSS Supplemental Validation for Designated Entities, Revision 1.0 2015 PCI Security Standards Council, LLC. All Rights Reserved.June 2015Page 2
Introduction to the Supplemental ROC Template for PCI DSS Designated EntitiesSupplemental ValidationInstructions for SubmissionThis document, the Reporting Template for use with the PCI DSS Designated Entities Supplemental Validation, Revision 1.0 (“Supplemental ROCTemplate” or “S-ROC”), is the mandatory template for Qualified Security Assessors (QSAs) completing assessment of a designated entity againstthe PCI DSS Designated Entities Supplemental Validation, Version 1.0.Note that an entity is ONLY required to undergo an assessment according to this document if instructed to do so by an acquirer or apayment brand.This “Supplemental ROC Template” or “S-ROC” document is to be completed according to the same instructions provided in the ReportingTemplate for PCI DSS v3. Refer to the Reporting Template(s) for use with PCI DSS v3 and the ROC Reporting Template for PCI DSS v3:Frequently Asked Questions (FAQs) documents on the PCI SSC website for detailed instruction on how to complete these reporting templates. Assuch, do not delete any content from any place in this document, including this section and the versioning above. Excessive personalization andchanges to sections – including additional sections - may not be accepted by accepting entities, and personalization should be limited to the titlepage.The “S-ROC” template is an addendum to the ROC Reporting Template and is not intended to stand alone. Because of this, details related toScope of Work, Details of Reviewed Environment and so on that are applicable to the environment reviewed for the S-ROC must be included inthe applicable sections in the full ROC for that entity. For example, the list of interviewees in the full ROC should also include any personsinterviewed during assessment of the PCI DSS Designated Entities Supplemental Validation.While this supplemental validation would typically be done in conjunction with a full PCI DSS assessment, entities should contact their paymentbrand and/or acquirer with any questions about completing and submitting these reports.Note that an entity is ONLY required to undergo an assessment according to this document ifinstructed to do so by an acquirer or a payment brand.Reporting Template for use with the PCI DSS Designated Entities Supplemental Validation, Revision 1.0 2015 PCI Security Standards Council, LLC. All Rights Reserved.June 2015Page 3
Addendum to ROC Reporting Template - Reporting Template for use with the PCIDSS Designated Entities Supplemental ValidationFindings and ObservationsSummary of Assessment Findings(check one)PCI DSS Requirementsand Testing ProceduresReporting InstructionReporting Details:Assessor’s ResponseIn PlaceIn Placew/ CCWN/ANot inPlace DE.1 Implement a PCI DSS compliance programDE.1.1 Executive management shall establish responsibility for the protection of cardholder data and a PCI DSScompliance program to include: Overall accountability for maintaining PCI DSS complianceDefining a charter for a PCI DSS compliance programProvide updates to executive management and board of directors on PCI DSS compliance initiatives and issues,including remediation activities, at least annually.PCI DSS Reference: Requirement 12DE.1.1.a Examine documentation toverify executive management hasassigned overall accountability formaintaining the entity’s PCI DSScompliance.Identify the document(s) examined to verifyexecutive management has assigned overallaccountability for maintaining the entity’s PCI DSScompliance. Report Findings Here DE.1.1.b Examine the company’s PCIDSS charter to verify it outlines theconditions under which the PCI DSScompliance program is organized.Identify the company’s PCI DSS charterdocument(s) examined to verify the charteroutlines the conditions under which the PCI DSS Report Findings Here DE.1.1.c Examine executivemanagement and board of directorsmeeting minutes and/or presentationsto ensure PCI DSS complianceinitiatives and remediation activitiesare communicated at least annually.Identify the sample of executive managementand board of directors meeting minutes and/orpresentations examined to ensure PCI DSScompliance initiatives and remediation activitiesare communicated at least annually.compliance program is organized. Report Findings Here Reporting Template for use with the PCI DSS Designated Entities Supplemental Validation, Revision 1.0 2015 PCI Security Standards Council, LLC. All Rights Reserved.June 2015Page 4
Summary of Assessment Findings(check one)PCI DSS Requirementsand Testing ProceduresReporting InstructionReporting Details:Assessor’s ResponseIn PlaceIn Placew/ CCWN/ANot inPlace DE.1.2 A formal PCI DSS compliance program must be in place to include: Definition of activities for maintaining and monitoring overall PCI DSS compliance, including business as usualactivitiesAnnual PCI DSS assessment processesProcesses for the continuous validation of PCI DSS requirements (for example: daily, weekly, quarterly, etc. asapplicable per requirement).A process for performing business impact analyses to determine potential PCI DSS impacts for strategic businessdecisionsPCI DSS Reference: Requirements 1-12DE.1.2.a Examine information securitypolicies and procedures to verify thatprocesses are specifically defined forthe following: Maintaining and monitoringoverall PCI DSS compliance,including business as usualactivitiesAnnual PCI DSS assessment(s)Continuous validation of PCIDSS requirementsBusiness impact analyses todetermine potential PCI DSSimpacts for strategic businessdecisionsIdentify the information security policies andprocedures document(s) examined to verifythat processes are specifically defined for thefollowing: Report Findings Here Maintaining and monitoring overall PCI DSScompliance, including business as usualactivitiesAnnual PCI DSS assessment(s)Continuous validation of PCI DSSrequirementsBusiness impact analyses to determinepotential PCI DSS impacts for strategicbusiness decisionsReporting Template for use with the PCI DSS Designated Entities Supplemental Validation, Revision 1.0 2015 PCI Security Standards Council, LLC. All Rights Reserved.June 2015Page 5
Summary of Assessment Findings(check one)PCI DSS Requirementsand Testing ProceduresDE.1.2.b Interview personnel andobserve compliance activities to verifythat the defined processes areimplemented for the following: Maintaining and monitoringoverall PCI DSS compliance,including business as usualactivitiesAnnual PCI DSS assessment(s)Continuous validation of PCIDSS requirementsBusiness impact analyses todetermine potential PCI DSSimpacts for strategic businessdecisionsReporting InstructionIdentify the personnel interviewed who confirmthat defined processes are implemented for: Reporting Details:Assessor’s ResponseIn PlaceIn Placew/ CCWN/ANot inPlace Report Findings Here Maintaining and monitoring overall PCI DSScompliance, including business as usualactivitiesAnnual PCI DSS assessment(s)Continuous validation of PCI DSSrequirementsBusiness impact analyses to determinepotential PCI DSS impacts for strategicbusiness decisionsDescribe how compliance activities were observed to verify that defined processes are implemented for thefollowing: Maintaining and monitoring overall PCI DSScompliance, including business as usualactivities Report Findings Here Annual PCI DSS assessment(s) Report Findings Here Continuous validation of PCI DSSrequirements Report Findings Here Business impact analyses to determinepotential PCI DSS impacts for strategicbusiness decisions Report Findings Here DE.1.3 PCI DSS compliance roles and responsibilities must be specifically defined and formally assigned to one or morepersonnel, including at least the following: Managing PCI DSS business as usual activitiesManaging annual PCI DSS assessmentsManaging continuous validation of PCI DSS requirements (for example: daily, weekly, quarterly, etc. as applicableper requirement)Managing business impact analyses to determine potential PCI DSS impacts for strategic business decisions PCI DSS Reference: Requirement 12Reporting Template for use with the PCI DSS Designated Entities Supplemental Validation, Revision 1.0 2015 PCI Security Standards Council, LLC. All Rights Reserved.June 2015Page 6
Summary of Assessment Findings(check one)PCI DSS Requirementsand Testing ProceduresDE.1.3.a Examine information securitypolicies and procedures and interviewpersonnel to verify that roles andresponsibilities are clearly defined andthat duties are assigned to include atleast the following: Managing PCI DSS business asusual activities Managing annual PCI DSSassessments Managing continuous validation ofPCI DSS requirements (forexample: daily, weekly, quarterly,etc. as applicable per requirement) Managing business impact analysesto determine potential PCI DSSimpacts for strategic businessdecisionsReporting InstructionIdentify the information security policies andprocedures document(s) examined to verifythat roles and responsibilities are clearly definedand that duties are assigned to include at least thefollowing:In PlaceIn Placew/ CCWN/ANot inPlace Report Findings Here Managing PCI DSS business as usual activities Managing annual PCI DSS assessments Managing continuous validation of PCI DSSrequirements Managing business impact analyses todetermine potential PCI DSS impacts forstrategic business decisionsIdentify the personnel interviewed who confirmthat roles and responsibilities are clearly definedand that duties are assigned to include at least thefollowing: Report Findings Here Managing PCI DSS business as usual activities Managing annual PCI DSS assessments Managing continuous validation of PCI DSSrequirements DE.1.3.b Interview responsiblepersonnel and verify they are familiarwith and performing their designatedPCI DSS compliance responsibilities.Reporting Details:Assessor’s ResponseManaging business impact analyses todetermine potential PCI DSS impacts forstrategic business decisionsIdentify the personnel interviewed who confirmthat they are familiar with and performing theirdesignated PCI DSS compliance responsibilities. Report Findings Here Reporting Template for use with the PCI DSS Designated Entities Supplemental Validation, Revision 1.0 2015 PCI Security Standards Council, LLC. All Rights Reserved.June 2015Page 7
Summary of Assessment Findings(check one)PCI DSS Requirementsand Testing ProceduresReporting InstructionReporting Details:Assessor’s ResponseDE.1.4 Provide up-to-date PCI DSS and/or information security training at least annually to personnel with PCI DSScompliance responsibilities (as identified in DE.1.3).In PlaceIn Placew/ CCWN/ANot inPlace PCI DSS Reference: Requirement 12DE.1.4.a Examine information securitypolicies and procedures to verify thatPCI DSS and/or similar informationsecurity training is required at leastannually for each role with PCI DSScompliance responsibilities.Identify the information security policies andprocedures document(s) examined to verifythat PCI DSS and/or similar information securitytraining is required at least annually for each rolewith PCI DSS compliance responsibilities. Report Findings Here DE.1.4.b Interview personnel andexamine certificates of attendance orother records to verify that personnelwith PCI DSS complianceresponsibility receive up-to-date PCIDSS and/or similar information securitytraining at least annually.Identify the personnel interviewed who confirmthat personnel with PCI DSS complianceresponsibility receive up-to-date PCI DSS and/orsimilar information security training at leastannually. Report Findings Here Identify the certificates of attendance or otherrecords examined to verify that personnel withPCI DSS compliance responsibility receive up-todate PCI DSS and/or similar information securitytraining at least annually. Report Findings Here DE.2 Document and validate PCI DSS scopeDE.2.1 Document and confirm the accuracy of PCI DSS scope at least quarterly and upon significant changes to the inscope environment. At a minimum, the quarterly scoping validation should include: Identifying all in-scope networks and system componentsIdentifying all out-of-scope networks and justification for networks being out of scope, including descriptions of allsegmentation controls implementedIdentifying all connected entities (e.g. third party entities with access to the cardholder data environment (CDE)) PCI DSS Reference: Scope of PCI DSS RequirementsDE.2.1.a Examine documented resultsof scope reviews and interviewpersonnel to verify that the reviews areperformed: At least quarterlyAfter significant changes to theIdentify the documented results of scopereviews examined to verify that the reviews areperformed: At least quarterly After significant changes to the in-scopeenvironment Report Findings Here Reporting Template for use with the PCI DSS Designated Entities Supplemental Validation, Revision 1.0 2015 PCI Security Standards Council, LLC. All Rights Reserved.June 2015Page 8
Summary of Assessment Findings(check one)PCI DSS Requirementsand Testing Proceduresin-scope environmentDE.2.1.b Examine documented resultsof quarterly scope reviews to verify thefollowing is performed: Reporting InstructionIdentify the personnel interviewed who confirmthat the reviews are performed: At least quarterly After significant changes to the in-scopeenvironmentReporting Details:Assessor’s ResponseIn PlaceIn Placew/ CCWN/ANot inPlace Report Findings Here Using the documented results of quarterly scope review identified at DE 2.1.a, describe how the documented resultsof quarterly scope reviews were observed to verify that the following is performed:Identification of all in-scopenetworks and systemcomponentsIdentification of all out-of-scopenetworks and justification fornetworks being out of scope,including descriptions of allsegmentation controlsimplementedIdentification of all connectedentities (e.g. third party entitieswith access to the CDE) Identification of all in-scope networks andsystem components Report Findings Here Identification of all out-of-scope networksand justification for networks being out ofscope, including descriptions of allsegmentation controls implemented Report Findings Here Identification of all connected entities Report Findings Here DE.2.2 Determine PCI DSS scope impact for all changes to systems or networks, including additions of new systems andnew network connections. Processes must include: Performing a formal PCI DSS impact assessment Identifying applicable PCI DSS requirements to the system or network Updating PCI DSS scope as appropriate Documented sign-off of the results of the impact assessment by responsible personnel (as defined in DE.1.3)PCI DSS Reference: Scope of PCI DSS Requirements; Requirements 1-12Reporting Template for use with the PCI DSS Designated Entities Supplemental Validation, Revision 1.0 2015 PCI Security Standards Council, LLC. All Rights Reserved.June 2015Page 9
Summary of Assessment Findings(check one)PCI DSS Requirementsand Testing ProceduresDE.2.2 Examine changedocumentation and interviewpersonnel to verify that for eachchange to systems or networks: Reporting InstructionIdentify the change documentation examinedto verify that for each change to systems ornetworks: A formal PCI DSS impactassessment was performedA formal PCI DSS impact assessment wasperformed PCI DSS requirementsapplicable to the system ornetwork changes were identifiedPCI DSS requirements applicable to thesystem or network changes were identified PCI DSS scope was updated asappropriate for the change Sign-off by responsible personnel (asdefined in DE.1.3) was obtained anddocumented PCI DSS scope was updated asappropriate for the change Sign-off by responsiblepersonnel (as defined in DE.1.3)was obtained and documentedIdentify the personnel interviewed who confirmthat for each change to systems or networks: A formal PCI DSS impact assessment wasperformed PCI DSS requirements applicable to thesystem or network changes were identified PCI DSS scope was updated asappropriate for the change Sign-off by responsible personnel (asdefined in DE.1.3) was obtained anddocumentedReporting Details:Assessor’s ResponseIn PlaceIn Placew/ CCWN/ANot inPlace Report Findings Here Report Findings Here DE.2.2.1 Upon completion of a change, all relevant PCI DSS requirements must be verified on all new or changedsystems and networks, and documentation must be updated as applicable. Examples of PCI DSS requirements thatshould be verified include, but are not limited to: Updated network diagram to reflect changes Systems are configured per configuration standards, with all default passwords changed and unnecessary servicesdisabled Systems are protected with required controls, e.g. file integrity monitoring (FIM), anti-virus, patches, audit logging Verification that sensitive authentication data (SAD) is not stored and that all cardholder data (CHD) storage isdocumented and incorporated into data retention policy and procedures New systems are included in the quarterly vulnerability scanning processPCI DSS Reference: Scope of PCI DSS Requirements; Requirement 1-12Reporting Template for use with the PCI DSS Designated Entities Supplemental Validation, Revision 1.0 2015 PCI Security Standards Council, LLC. All Rights Reserved.June 2015Page 10
Summary of Assessment Findings(check one)PCI DSS Requirementsand Testing ProceduresDE.2.2.1 For a sample of systems andnetwork changes, examine changerecords, interview personnel andobserve the affected systems/networksto verify that applicable PCI DSSrequirements were implemented anddocumentation updated as part of thechange.Reporting InstructionIdentify the sample of systems and networkchanges .Reporting Details:Assessor’s ResponseIn PlaceIn Placew/ CCWN/ANot inPlace Report Findings Here For the sample of systems and network changes:Identify the change records examined to verifythat applicable PCI DSS requirements wereimplemented and documentation updated as partof the change. Report Findings Here Identify the personnel interviewed who confirmthat applicable PCI DSS requirements wereimplemented and documentation updated as partof the change. Report Findings Here Describe how the affected systems/networkswere observed to verify that applicable PCI DSSrequirements were implemented anddocumentation updated as part of the change. Report Findings Here DE.2.3 Changes to organizational structure (for example, a company merger or acquisition, change or reassignment ofpersonnel with responsibility for security controls) result in a formal (internal) review of the impact to PCI DSS scope andapplicability of controls.PCI DSS Reference: Requirement 12DE.2.3 Examine policies andprocedures to verify that a change toorganizational structure results informal review of the impact to PCIDSS scope and applicability ofcontrols.Identify the policies and proceduresdocument(s) examined to verify that a change toorganizational structure results in formal review ofthe impact to PCI DSS scope and applicability ofcontrols. Report Findings Here DE.2.4 If segmentation is used, confirm PCI DSS scope by performing penetration testing on segmentation controls atleast every six months and after any changes to segmentation controls/methods.PCI DSS Re
A formal PCI DSS compliance program must be in place to include: . At a minimum, the quarterly scoping validation should include: Identifying all in-scope networks and system components Identifying all out -of-scope networks and justification for netwo
