PCI DSS v4.0 – Removal of ‘In Place with Remediation’

Upon its release in March 2022, PCI DSS v4.0 reporting brought us a new assessment finding: "In Place with Remediation". This finding was intended to report a control or requirement that was determined to be "Not in Place" when initially reviewed by the assessor and then had subsequently been corrected and remediated and could therefore be re-assessed as "In Place" prior to the completion of the assessment.

‍

"In Place with Remediation" was intended to support the Standard's goal of security as an ongoing and continuous process. As a reporting response it provided organizations the opportunity to identify and target areas of improvement year after year.

‍

Based on the feedback received from the PCI community and stakeholders, the PCI SSC has decided to remove "In Place with Remediation" as an assessment finding. Assessors will now be reporting using the same set of assessment responses as before: "In Place", "In Place with CCW", "Not Applicable", "Not in Place".

‍

The PCI SSC has now published revisions to the PCI DSS v4.0 Report on Compliance (ROC) template, Attestations of Compliance (AOCs), and Self-Assessment Questionnaires (SAQs), replacing the original v4.0 reporting and validation documents. The PCI SSC has also taken this opportunity to add clarification and formatting updates to the documents. These changes are noted in each document's respective "Document Changes" table.

‍

Note that the change is limited to reporting and validation documents and not the Standard itself. The PCI SSC has chosen to separate the recording of information about an entity's compliance gaps and improvements needed from the formal reporting and validation documents. Before the end of Q2 2023, the PCI SSC will release a worksheet for assessors to document information about those areas needing improvement, to be supported by FAQs and additional guidance for the worksheet's completion.

‍

This change may impact organizations that have already completed a v4.0 assessment using the original reporting and validation documents or are in progress with their v4.0 assessment. The PCI SSC advises that all questions on this topic should be addressed to your compliance-accepting entity: i.e., for merchants, your acquiring bank or, for service providers, the relevant payment brands.

‍

Contact the VikingCloud team for more information about ensuring your organization is in compliance.

PCI DSS v4.0 – Removal of ‘In Place with Remediation’

This blog article, summarizes the published revisions to the PCI DSS v4.0 reporting and validation documents which may affect organizations that have completed a v4.0 assessment using the original reporting and validation documents or are in progress with their v4.0 assessment.

VIKINGCLOUD NEWS & RESOURCES

PCI DSS v4.0 Compliance: 5 Key Reasons to Define Roles and Responsibilities

What in the World is a Qualified Integrator and Reseller?

Penetration Testing

PCI DSS v4 Transformation when using PCI DSS v3.2.1 validated TPSPs

Connectivity Services

Cybersecurity Awareness Month: See Yourself in Cyber

VikingCloud Announces Industry’s First Generative AI-Powered Chatbot Combining Real-Time Cybersecurity and PCI Compliance Intelligence

Programs for Acquirers, ISOs, and Processors

PayPal and the PCI DSS

How women in payments, fintech, and cybersecurity are breaking the glass ceiling?

Ensuring Penetration Testing Leads to Security

Staying PCI DSS compliant as the global payment landscape evolves

PCI DSS v4.0: Authenticated Scans

Protecting Your Business from Phishing Attacks

How To Select A PCI Compliant Service Provider: Advice For Small Business Owners

Finding The Cure for Swelling Cyber-threats

PCI DSS 4.0 - Self Assessment Questionnaires

Avoid Audit Fatigue - Using Automation to Create an Efficient Compliance Framework (and Stay Sane)

VikingCloud Welcomes Jim Burke as New CEO

Cyber Threat Unit Spotlight: Chesley Moodley

“Does my backup services business need to be PCI compliant?”

How To Secure Your Software Supply chain

How You Can Use Tokenization to Reduce PCI Scope

Integrating CVSS 4.0 into VikingCloud Penetration Testing

How Do Cybercriminals Profit From My Stolen Data?

VF Corp. discloses cyberattack on first day of new SEC rule

Cyber Threat Unit Spotlight: Jay Turla

A different kind of food safety

EDR or SIEM: Which Should You Choose?

Voice

Spin the InfoSec Color Wheel - You Landed on Red!

The PCI DSS, Chaining and the Franchise Relationship

High Availabilty Solution

Will EMV Make You PCI Compliant?

Updated U.S. Cyber Guidelines Place Emphasis on Risk Governance

VikingCloud Announces Industry’s First PCI L4 Compliance Program with Integrated Cyber Risk Score

PCI Compliance and the Service Provider

How to Prepare for Heightened Board Involvement in Cybersecurity

CISOs on alert following SEC charges against SolarWinds

The Power of Proactive Cybersecurity Using Ethical Hackers

When the Internet Goes Out, this QSR Relies on a Seamless and Secure Backup

Introducing PCI DSS 4.0

Security maturity: it is time for organizations to come of age

3 Basic Ways to Avoid PCI Paralysis

PCI and storage of PAN

PA-DSS and PCI DSS: Beware the critical difference!

Securing the End Zone: Achieving PCI Compliance Excellence for an NFL Franchise

Microsoft Ending Support for Windows Server 2003

PCI DSS v4.0 – Best Practices for Automated Log Reviews

Managed Compliance Services

Serving Up Reliable Security

What is an Endpoint Protection Platform?

ISO 27002:2022

PCI DSS v4 – Are you using Disk Encryption?

What’s the best practice for masking or truncating PAN data?

Five Steps Before Using a Mobile Device to Accept Credit Cards

Cryptography in the Face of Quantum Computing

Cyber Threat Unit Spotlight: Robin Divino

NIST Cybersecurity Framework 2.0: A Deep Dive into the New Governance Function

Is PCI Compliance a Law? Should it be?

PCI Compliance and Your Website: A Guide

VikingCloud welcomes Gabe Moynagh as new board advisor

PCI DSS 4.0: Targeted Risk Analysis

A taste of how we delivered for the QSR Market

Beyond Fingerprints: Exploring Behavioral Biometrics for Secure Identity Verification

The Real Cost of Data Breach

P2PE Assesment Long Form

New “Backoff” Point-of-Sale Malware Alert

Endpoint protection; a vital tool in the battle against ransomware

MSP vs. MSSP

PCI DSS L1 Bundles

Cyber attackers and defenders are racing to up their AI game

5 Best Practices for Securing Your Small Biz

How Can Your PCI Compliance Efforts Ultimately Save Your Business Money?

Demystifying PCI DSS requirements: Penetration & segmentation testing

PCI DSS 4.0 - Risk vs. Requirement

5 Security Tips for Small IT Teams