By Jason McWhirr, Information Security Consultant
It will come as no surprise that the Report on Compliance (RoC) template has also been updated as part of the roll out of Payment Card Industry Data Security Standard (PCI DSS) version 3.2.
For those not so familiar with the template, it applies to all level 1 merchants who are contractually obliged to annually submit a Report on Compliance (RoC) to their acquirer to verify their compliance. Level 1 merchants are businesses that process more than 6,000,000 VISA or Mastercard transactions annually.
It also applies to service providers that store, process or transmit over 300,000 VISA or Mastercard transactions annually. These service providers will generally report directly to the payment brands.
Though the older version of the RoC template can still be submitted until the expiration of the v3.1 standard in October 2016 at Sysnet we would recommend that the updated RoC template is now used.
Changes for Acquirers with v3.2
Now that v3.2 of the RoC is available, what should you look out for in the new template? We explore the main changes below:
- Correct Documentation: When reviewing submitted RoC documentation, ensure the supplied RoC Reporting Template version matches the supplied Attestation of Compliance (AoC) version. Currently, both the PCI DSS v3.1 and v3.2 documentations are available to be submitted, so it is important that all document versions match for the submitted entity.
- Template Formatting: Check that the formatting and personalisation of the submitted RoC Template is not overly changed or personalised. As a result of feedback made to the Payment Card Industry Security Standards Council (PCI SSC), template personalisation rules have been updated to restrict changes by Payment Card Industry Qualified Security Assessor (PCI QSA) consulting organisations. Now, the format of the template cannot be changed, pages cannot be removed or re-ordered, with personalisation limited to the title page and headers of the remainder of the document. Legal content is allowed by using addendums, with references to the addendum in the document.
- Shorter RoC reports: In a move to limit unnecessary reporting, the PCI SSC have allowed assessor responses for 44 requirements. In practise this means that all that is now required is the name of the PCI QSA, rather than the reporting detail. This ‘signature’ confirms that the assessor has attested that the control is in place/verified without needing to create unnecessary reporting (the assessor should be collating evidence to re-validate their attestation). The ‘signature’ has been deemed stronger than a ‘yes’ or ‘checkmark’. For example;
V3.1 RoC Template;
V3.2 RoC Template;
- Summary of Findings: The PCI SSC have added a new summary of findings which makes it quicker and easier to identify compliant, non-compliant, and not applicable statuses for acquirers (1.5).
- Cardholder Data Flow Diagrams: It is now an option to insert cardholder data flow diagrams into the RoC Reporting Template, in addition to the existing ability to add an entity’s high-level and detailed network diagrams (4.2).
Sysnet’s Risk & Assurance services provide clear guidance to all aspects of PCI DSS, including RoC templates. Our Qualified Security Assessors (QSA’s) understand the intricacies of a wide range of security solutions including PCI DSS, PA-DSS certification and also P2PE compliance. Additionally, we can also assist in designing, implementing and documenting appropriate security controls, procedures and policies, all within a holistic cybersecurity framework that takes into account all applicable standards and regulations. To learn more about our solutions or for more information about our services, please visit Risk & Assurance or email firstname.lastname@example.org
If you are a merchant that requires technical or PCI DSS help, please click here