PCI DSS 4.0 – The New ROC Template at a Glance

Part 5 of the PCI DSS 4.0 Launch Series

The content of this blog is based solely on the PCI Data Security Standard (DSS) version 4.0 and related validation documents and does not incorporate any additional clarification/guidance provided by the PCI Security Standards Council (SSC) after the date of this blog.

As with the actual DSS itself, the PCI SSC made significant changes to the PCI DSS Version 4.0 ROC template to both support the new standard and to improve the quality and assurance provided by each ROC.  The introduction of the Customized Approach necessitated a nearly all-new approach to reporting.  The resulting template is now 492 pages without any data in it (for reference, the v3.2.1 ROC template was 191 pages).  However, it is organized somewhat differently.

The Version 4.0 ROC template is comprised of three major sections plus several appendices.  The first section is the instructions for using the template itself.  This section can now be removed by the assessor prior to completing the ROC.  The second section, Part I – Assessment Overview, contains the information previously found in Sections 1-5 of the v3.2.1 ROC template, with significant additional reporting required such as:

• More detailed information specific to remote testing activities.
• The number of years the QSA Company has completed ROCs for the entity.
• More detailed reporting on scope validation and external AND internal vulnerability scans.
• Reporting on any storage of sensitive authentication data (SAD).  (This is applicable to a very small number of assessed entities – SAD is still generally not to be stored post-authorization at all.)
• Detailed description of ALL evidence reviewed and interviews conducted.  Every piece of evidence (documentation, interviews, observed processes, and system evidence such as configurations and settings) must be formally categorized, assigned a reference number., and briefly described.

The third section, Part II – Findings and Observations, roughly corresponds with Section 6 of the v3.2.1 ROC template.  However, the manner in which assessment results are reported has changed.  For each requirement, the assessor must describe why In Place, Not In Place, Not Applicable, etc. was selected and then list the reference numbers for ALL the supporting evidence listed in Part I.  If any part of the requirement leveraged the Customized Approach OR (in accordance with the Defined Approach) a Compensating Control, the corresponding three-page Customized Approach Template (Appendix E) or one-page Compensating Control template (Appendix C) must also be filled out.  Since the Customized Approach can be leveraged for part or all of almost every requirement, the level of effort required to complete and document an assessment jumps exponentially proportional to the use of the Customized Approach.  As we discussed in Part 2 of this series, the assessor has to come up with and then execute and document the testing procedures for controls asserted by the entity to meet a given Customized Approach Objective.

The PCI DSS Version 4.0 is the next evolution of the PCI SSC’s mission to secure payment data.  Doing so in today’s world requires significant and ongoing investment of resources, and the updated standard lays out in detail the SSC’s expectations in this area.  Whether you are a merchant, a service provider, or an assessor, now is the time to dig into the new standard and understand its impact to your organization.