PCI DSS 4.0 - Risk vs. Requirement

One of the things we occasionally come across as assessors is the belief that PCI DSS requirements can be treated more like a risk assessment rather than a compliance check against requirements, and as such a belief develops that the compliance status of a requirement can be determined based on the level of risk.

‍

With the release of PCI DSS 4.0 come a new ROC (or Report on Compliance) Template FAQ Under section 4.0 - Assessment Findings - it mentions only five defined responses a QSA can pick for any particular requirement. They are:

‍

In Place
In Place with Remediation
Not Applicable
Not Tested
Not in Place

‍

As per the FAQ for something to be marked In Place The expected testing has been performed, and all elements of the requirement have been met.

‍

Adversely something marked Not in Place shows some or all elements of the requirement have not been met, are in the process of being implemented, or require further testing before it will be known if they are In Place. Not in Place is also used if a requirement cannot be met due to a legal restriction, meaning that meeting the requirement would contravene a local or regional law or regulation.

‍

In Place with Remediation differs from In Place with a CCW used in version 3.2.1. Now it's defined as The requirement was Not in Place at some point during the PCI DSS assessment period, but where the entity remediated the issue such that the requirement was In Place before completion of the assessment. An example could be that a security patch that was not applied within 30 days or the unintentional storage of unencrypted PAN which were later rectified prior to the assessment period ending.

‍

Which brings us to Not Applicable or Not Tested - what's the difference? Using the example of wireless, and an organization that does not use wireless technology in any capacity, an assessor could select Not Applicable for some requirements after the assessor confirms through testing that there are no wireless technologies used in the organization's CDE or that connect to their CDE. However, if a requirement is completely excluded from review without any consideration as to whether it could apply, the Not Tested option must be selected.

‍

As mentioned, the PCI DSS v4.0 ROC Template Frequently Asked Questions document is certainly worth a review for further insights into PCI DSS 4.0.

PCI DSS 4.0 - Risk vs. Requirement

VIKINGCLOUD NEWS & RESOURCES

5 Best Practices for Securing Your Small Biz

Ensuring Penetration Testing Leads to Security

PA-DSS Transformation to SSF

Fueling a Healthy Diet

PCI DSS v4.0 and the Evolution of the Self-Assessment Questionnaire (SAQ) for E-commerce Merchants

Securing the End Zone: Achieving PCI Compliance Excellence for an NFL Franchise

PayPal and the PCI DSS

PCI DSS v4.0 Compliance: 5 Key Reasons to Define Roles and Responsibilities

Proactive Data Security

Small Business and PCI Cost vs. Benefit

Distributed Denial of Service (DDOS) Attack – What can you do?

Managed Security Services

Avoid Audit Fatigue - Using Automation to Create an Efficient Compliance Framework (and Stay Sane)

PCI Myths

Asking around: What will the boardroom be talking about in 2024?

3 Basic Ways to Avoid PCI Paralysis

3 Common Pitfalls to Meeting PCI DSS Compliance

PCI Compliance and the Service Provider

Cyber Threat Unit Spotlight: Robin Divino

EDR or SIEM: Which Should You Choose?

P2PE Assesment Long Form

“Can We Securely Store Card Data for Recurring Billing?”

Microsoft Ending Support for Windows Server 2003

Security Logging and Monitoring (PCI DSS Requirement 10): Why all the Fuss?

Working with Multiple Compliance Standards

ISO27001 vs. ISO27002

Why there’s no one-size-fits all solution to security maturity

PAYSTRAX Selects VikingCloud’s Patented Web Risk Monitoring to Mitigate Merchant Fraud

PCI DSS v4.0: Authenticated Scans

What in the World is a Qualified Integrator and Reseller?

PCI DSS v4.0 – Best Practices for Automated Log Reviews

NIST Cybersecurity Framework 2.0: A Deep Dive into the New Governance Function

Hardening Against Potential Attacks from Elevated Geopolitical Cybersecurity Risks

Connectivity Services

PCI Compliance and Your Website: A Guide

5 Security Tips for Small IT Teams

VikingCloud welcomes Gabe Moynagh as new board advisor

How Do Cybercriminals Profit From My Stolen Data?

PCI DSS 4.0: Multifactor Authentication

PAN Storage and the PCI DSS

Improving Security Awareness - Best Practices

Cyber attackers and defenders are racing to up their AI game

Ransomware in 2022 and beyond

Are your external ASV scans effective?

High Availabilty Solution

VF Corp. discloses cyberattack on first day of new SEC rule

SEC Adopts New Rules on Cybersecurity Risk Management, Incident Disclosure, and Ransomware Payments by Public Companies

VikingCloud Announces Industry’s First PCI L4 Compliance Program with Integrated Cyber Risk Score

What is Endpoint Detection and Response?

PCI DSS 4.0 - Risk vs. Requirement

Security Incident Preparedness - Tabletop Exercises

Cloud Security and Zero Trust

Introducing PCI DSS 4.0

Voice

Ransomware actors ‘tighten the screws’ with legal and financial pressures

How women in payments, fintech, and cybersecurity are breaking the glass ceiling?

Web Risk Monitoring

The Value of Powerful, Predictive and Cohesive Cybersecurity

Staples, 23andMe respond to holiday data breaches

The 2019 PCI Compliance Annual Plan

The PCI DSS, Chaining and the Franchise Relationship

What is an Endpoint Protection Platform?

Updated U.S. Cyber Guidelines Place Emphasis on Risk Governance

What’s the best practice for masking or truncating PAN data?

Beyond Fingerprints: Exploring Behavioral Biometrics for Secure Identity Verification

A different kind of food safety

3 Generative AI Security Risks Retailers Should Beware of

Cyber Threat Unit Spotlight: Chesley Moodley

Phishing 101: everything you need to know to protect your business

PA-DSS and PCI DSS: Beware the critical difference!

5 Reasons Your Customers May Not Trust You With Their Personal and Financial Data

When the Internet Goes Out, this QSR Relies on a Seamless and Secure Backup

Cryptography in the Face of Quantum Computing

What's so scary about AI (Besides human extinction)

PCI and storage of PAN

Is PCI Compliance a Law? Should it be?

VikingCloud Welcomes Jim Burke as New CEO

New “Backoff” Point-of-Sale Malware Alert