When PCI DSS v4.0 was released in March 2022, a new reporting option was included to document requirements that were “In Place with Remediation.” The goal of this option was to promote security as a continuous process, by providing a means for organizations to identify areas needing improvement year over year. While stakeholders agreed that this was a valuable tool for improving security, recent feedback indicates that there may be a better way to achieve this goal.
In response to this feedback, PCI SSC is updating the PCI DSS v4.0 validation documents to remove the “In Place with Remediation” reporting option. We talk with Lauren Holloway, Director of Data Security Standards, to address some common questions about this PCI DSS v4.0 validation document update.
Which documents are being updated?
Lauren Holloway: The PCI DSS v4.0 Report on Compliance (ROC) templates, Attestations of Compliance (AOCs), and Self-Assessment Questionnaires (SAQs), are being updated to remove “In Place with Remediation” as a reporting option.
Will this update impact the standard?
Lauren Holloway: No. This update is limited to the PCI SSC v4.0 validation documents. The Report on Compliance Template - Frequently Asked Questions is also being updated to reflect the change.
What other changes are being made to the validation documents?
Lauren Holloway: In addition to removing “In Place with Remediation,” the document updates will include some clarifications and formatting corrections.
When will the updated validation documents be available?
Lauren Holloway: The updated validation documents are planned for publication before the end of 2022. Be sure to subscribe to our RSS feed to be notified once the documents have been added to the PCI SSC Document Library. Once available, the previous versions will be archived.
How does this impact PCI DSS v4.0 assessments already in progress or completed?
Lauren Holloway: For any questions about how this update impacts in-progress or completed PCI DSS v4.0 assessments, please contact your compliance-accepting entity. See FAQ 1142 “How do I contact the Payment Card Brands” for payment brand contact details.
Will a different method be provided to document information about areas needing improvement?
Lauren Holloway: Yes. To support organizations as they strive for security as a continuous process, the Council is creating a separate worksheet for assessors to document information about areas needing improvement. Additional guidance, such as FAQs and other supporting material, will also be provided to help organizations understand and use this worksheet.
The Qualified Security Assessor (QSA) Program Guide will also be updated to clarify assessor expectations and requirements for the completion of this worksheet.
When will the new worksheet be available?
Lauren Holloway: The new worksheet and additional guidance, such as FAQs and other supporting material, will be available in early 2023.
All documents will be published in the Document Library on the PCI SSC website.