Authored by Brian Odian for VikingCloud’s Compliance Elements Series, available on YouTube.
One of the things we occasionally come across as assessors is the belief that PCI DSS requirements can be treated more like a risk assessment rather than a compliance check against requirements, and as such a belief develops that the compliance status of a requirement can be determined based on the level of risk.
With the release of PCI DSS 4.0 come a new ROC (or Report on Compliance) Template FAQ. Under section 4.0 – Assessment Findings – it mentions only 5 defined responses a QSA can pick for any particular requirement. They are:
- In Place
- In Place with Remediation
- Not Applicable
- Not Tested
- Not in Place
As per the FAQ for something to be marked “In Place” The expected testing has been performed, and all elements of the requirement have been met.
Adversely something marked “Not in Place” shows some or all elements of the requirement have not been met, are in the process of being implemented, or require further testing before it will be known if they are In Place. “Not in Place” is also used if a requirement cannot be met due to a legal restriction, meaning that meeting the requirement would contravene a local or regional law or regulation.
“In Place with Remediation” differs from “In Place with a CCW” used in version 3.2.1. Now it’s defined as “The requirement was Not in Place at some point during the PCI DSS assessment period, but where the entity remediated the issue such that the requirement was In Place before completion of the assessment.” An example could be that a security patch that was not applied within 30 days or the unintentional storage of unencrypted PAN which were later rectified prior to the assessment period ending.
Which brings us to “Not Applicable” or “Not Tested” – what’s the difference? Using the example of wireless, and an organization that does not use wireless technology in any capacity, an assessor could select “Not Applicable” for some requirements after the assessor confirms through testing that there are no wireless technologies used in the organization’s CDE or that connect to their CDE. However, if a requirement is completely excluded from review without any consideration as to whether it could apply, the “Not Tested” option must be selected.
As mentioned, the PCI DSS v4.0 ROC Template – Frequently Asked Questions document is certainly worth a review for further insights into PCI DSS 4.0.