Preparing for a Report on Compliance (ROC)

Alastair Stewart
|
Senior Consultant at URM
|
PUBLISHED on
8 Aug
2022

There’s no getting away from the fact that preparing for a PCI DSS ROC can be a bit of a trial, and particularly for those who are experiencing their first visit from a QSA.  Like most trials, the good news is that future visits do get easier as your infrastructure gets up to spec.  That first assessment, however, will often involve some significant preparation work and investment,  such as a redesign of network architecture or the purchase of hardware and software.  It could also mean changes in working practices, the introduction cryptographic controls and change processes as you elevate the security posture of the environment to a level acceptable for a successful PCI DSS audit.

Scoping

Scoping is the single most important part of any PCI DSS assessment.  Establishing your scope can be challenging, especially if different types of payment channels exist which contribute to a complex cardholder data environment (CDE).  The QSA will spend a considerable amount of time understanding all technologies, systems, people and processes involved in each of these payment channels.

Segmentation

One of the biggest misconceptions we keep coming across is that network segmentation is a PCI DSS requirement.  Let’s put this one well and truly to bed: segmentation is categorically not a PCI DSS requirement!  Having said that, in today’s modern environments, there are lots of benefits in segmenting your CDE, not least in easing the pain and limiting the scope of an assessment.  Without segmentation, every single system, node, workstation and networking device would need to comply with every requirement of the Standard.  By segmenting the systems that are directly involved in the storing /transmitting/processing of cardholder data (CHD) from the rest of the organisation’s network, the scope of the assessment will be reduced significantly. And don’t forget that any system connected to those systems directly handling CHD, also need to be segmented.  

Understand where data resides and whether it’s required at all

Apart from establishing your scope and segmenting your CDE, the biggest challenge organisations face is understanding where CHD is stored.  We often find organisations which are not aware of all the CHD that is being retained.  CHD can be stored in locations as diverse as legacy systems’ (potentially offsite) backups or Excel databases in the finance department.  Without a well-defined data retention and disposal policy, many organisations find themselves storing CHD unnecessarily.  Quite often, this is due to the existence of a process that has never been questioned.  URM’s QSAs are well versed in understanding processes and procedures and helping to identify any oversights.

Preparation

What can you do to ensure the assessment goes as smoothly as possible?  The glib one-word answer is preparation.  In addition to securing the availability of all necessary staff members, ensure that all relevant policies, procedures, network and data flow diagrams are readily available to the assessor.  Not being able to provide documents in a timely manner will not result in a failed control, but the delay may prolong the time an assessor needs to spend onsite, potentially increasing the costs of an assessment.

‘Cheat sheet’

To avoid any confusion or surprises during an assessment, and to gain insights as to what an assessor will ask/observe/validate/verify, we strongly recommended that you download a copy of the ‘PCI DSS Requirements and Security Assessment Procedures’ and the ‘PCI DSS ROC Reporting Instructions’ from the PCI Council’s  document library (https://www.pcisecuritystandards.org).

Alastair Stewart
Senior Consultant at URM
Alastair is one of the most experienced and proficient Payment Card Industry Qualified Security Assessors (PCI QSAs) in the UK. He has completed in excess of one hundred successful reports on compliance (RoCs) against different PCI DSS versions along with supporting the completion of self-assessment questionnaires (SAQs).
Read more

Are you looking for a PCI QSA?

As a long-established PCI QSA, URM is able to deliver a full PCI QSA-led audit and produce a report on compliance (RoC) as well as deliver a full QSA-led self-assessment questionnaire (SAQ)
Thumbnail of the Blog Illustration
Information Security
Published on
5/8/2022
What Are the Service Provider Levels

In this blog, we turn our attention to service providers. The PCI Security Standards Council defines a service provider....

Read more
Thumbnail of the Blog Illustration
Information Security
Published on
9/8/2022
5 Ways to Reduce Your PCI DSS Scope

Almost all organisations that implement the Payment Card Industry Data Security Standard (PCI DSS) struggle with the scope of the applicability....

Read more
Thumbnail of the Blog Illustration
Information Security
Published on
5/8/2022
Can I Store Cardholder Data?

In this article, we aim to clarify what requirements the Payment Card Industry Data Security Standard (PCI DSS) places around....

Read more
This was a good webinar, thank you. Having it as a webinar rather than face to face worked really well and much more convenient with the new standards for travel and cost being put in place etc. The information was useful and well paced. Would be great to get a copy of the slide deck sent out as well. I missed the first minute or so but it would of been good to see an image of who was presenting as well. And you answered my question as well. Thanks
Webinar 'How to Achieve ISO 27001 Certification'
contact US

Let us help you

Let us help you in your compliance journey by completing the form and letting us know how we can best support you.