0 min read

PCI DSS v4.0 – Removal of ‘In Place with Remediation’

Upon its release in March 2022, PCI DSS v4.0 reporting brought us a new assessment finding: "In Place with Remediation". This finding was intended to report a control or requirement that was determined to be "Not in Place" when initially reviewed by the assessor and then had subsequently been corrected and remediated and could therefore be re-assessed as "In Place" prior to the completion of the assessment.

"In Place with Remediation" was intended to support the Standard's goal of security as an ongoing and continuous process. As a reporting response it provided organizations the opportunity to identify and target areas of improvement year after year.

Based on the feedback received from the PCI community and stakeholders, the PCI SSC has decided to remove "In Place with Remediation" as an assessment finding. Assessors will now be reporting using the same set of assessment responses as before: "In Place", "In Place with CCW", "Not Applicable", "Not in Place".

The PCI SSC has now published revisions to the PCI DSS v4.0 Report on Compliance (ROC) template, Attestations of Compliance (AOCs), and Self-Assessment Questionnaires (SAQs), replacing the original v4.0 reporting and validation documents. The PCI SSC has also taken this opportunity to add clarification and formatting updates to the documents. These changes are noted in each document's respective "Document Changes" table.

Note that the change is limited to reporting and validation documents and not the Standard itself. The PCI SSC has chosen to separate the recording of information about an entity's compliance gaps and improvements needed from the formal reporting and validation documents. Before the end of Q2 2023, the PCI SSC will release a worksheet for assessors to document information about those areas needing improvement, to be supported by FAQs and additional guidance for the worksheet's completion.

This change may impact organizations that have already completed a v4.0 assessment using the original reporting and validation documents or are in progress with their v4.0 assessment. The PCI SSC advises that all questions on this topic should be addressed to your compliance-accepting entity: i.e., for merchants, your acquiring bank or, for service providers, the relevant payment brands.

Contact the VikingCloud team for more information about ensuring your organization is in compliance.



Check out the latest news and resources from VikingCloud.
View All Resources
Andrea Sugden
Chief Sales and Customer Relationship Officer

Let’s Talk

Contact Us