The PCI SSC continue to release documentation to support the new v3.0 standard, however it seems they’re keeping it low key. In fact, the only clue that new documentation has been released this month is on the small ‘Recent Documents’ section on the home page, which has been updated with the PCI DSS RoC reporting template for v3.0. This document gives us the best insight yet as to how the SSC expect organisations to comply with v3.0, the actual implication of the Report on Compliance (RoC) being released is that level 1 merchants and service providers can now be audited by a QSA.
The first thing to note is that the reporting template has had a considerable overhaul across the board, virtually all of it has been tweaked, changed or manipulated in some way. The first five sections which contain the contact information, executive summary, scope of work, environment details and quarterly scan results have been re-organised and greatly expanded. They now include organised tables to enter the information in, and detailed descriptions of what is expected within each section. They also include table templates for organising the evidence collected, such as documents and interview records. All of this gives a very good indication of what a QSA is expected to gather in supporting evidence for an audit.
I’m sure a lot of you were wondering (like us) what would happen in the scenario where an organisation is going for compliance under v3.0 but their service providers are only compliant to v2.0? Does this mean a fail or not? Well there is also a very important clarification that has been added in the introduction section this time round:
“During the implementation period for PCI DSS 3.0, an entity being assessed against PCI DSS v3.0 may be relying on the compliance of third-party service providers who are assessed as compliant against PCI DSS v2.0. This is acceptable, and there is no need to force the third-party service provider to be assessed against PCI DSS 3.0 while their PCI DSS 2.0 assessment is still valid.”
So those of you with a number of service providers can breathe a sigh of relief, but you will still need to prepare your service provider contracts for 2015 to ensure that they are planning for v3.0 compliance appropriately.
Finally the findings and observations section, which is where the QSA will detail compliance against each individual requirement, has had a major overhaul in its layout. Firstly there are now five possible results for each requirement; In Place, In Place with CCW, Not Applicable, Not Tested, and Not in Place all of which are detailed in the introduction as to where they each should be used. Secondly the reporting instructions for each requirement, which outline how to check each one, have been changed. Instead of ticking one of five boxes as to how to report compliance against each requirement, now gives a description of what is expected to verify each one. It is worth noting that although the five categories have gone, the evidence required still falls broadly into the same types: Interviews, Documents, Sample Sets and Observation.
Overall these changes are a good thing as they give a more detailed account of what the PCI SSC expect companies to produce to prove compliance and should help to reduce heated debates between QSA’s and organisations over whether they are compliant or not, also this could reflect the tone and structure of the upcoming new SAQ’s.