Authored by Brian Odian for VikingCloud’s Compliance Elements Series, available on YouTube.

One of the things we occasionally come across as assessors is the belief that PCI DSS requirements can be treated more like a risk assessment rather than a compliance check against requirements, and as such a belief develops that the compliance status of a requirement can be determined based on the level of risk.

With the release of PCI DSS 4.0 come a new ROC (or Report on Compliance) Template FAQ.  Under section 4.0 – Assessment Findings – it mentions only 5 defined responses a QSA can pick for any particular requirement.  They are:

  • In Place
  • In Place with Remediation
  • Not Applicable
  • Not Tested
  • Not in Place

As per the FAQ for something to be marked “In Place” The expected testing has been performed, and all elements of the requirement have been met.

Adversely something marked “Not in Place” shows some or all elements of the requirement have not been met, are in the process of being implemented, or require further testing before it will be known if they are In Place.  “Not in Place” is also used if a requirement cannot be met due to a legal restriction, meaning that meeting the requirement would contravene a local or regional law or regulation.

“In Place with Remediation” differs from “In Place with a CCW” used in version 3.2.1.  Now it’s defined as “The requirement was Not in Place at some point during the PCI DSS assessment period, but where the entity remediated the issue such that the requirement was In Place before completion of the assessment.” An example could be that a security patch that was not applied within 30 days or the unintentional storage of unencrypted PAN which were later rectified