The PCI Security Standards Council (PCI SSC) has released the PCI Data Security Standard (PCI DSS) Report on Compliance (ROC) Template for v4.0.1 to align with PCI DSS version 4.0.1, to address minor errors, and to reformat the template.
The ROC Template, which was originally planned to be published in June along with PCI DSS v4.0.1, was delayed so that PCI SSC could additionally address much of the feedback received from stakeholders regarding usability and performance. This feedback included that the PCI DSS v4.0 ROC template took too long to complete, required redundant information, and resulted in a large final report subject to performance issues. The Council engaged with the Global Executive Assessor Roundtable (GEAR), the Board of Advisors (BOA), the Technology Advisory Board (TAB), and the Technology Guidance Group (TGG) to collaborate on the final version of the new ROC Template.
The PCI DSS v4.0.1 ROC Template is now available in the PCI SSC Document Library. A Summary of Changes from ROC Template v4.0 to v4.0.1 is also available.
In addition to the ROC Template and the Summary of Changes from ROC Template v4.0 to v4.0.1, the following related documents were also published to the PCI SSC Document Library: the PCI DSS v4.0.1 ROC Attestations of Compliance (AOCs) for merchants and service providers, ROC Template Frequently Asked Questions, Sample Customized Approach Templates, and the Designated Entities Supplemental Validation (DESV) ROC and DESV AOC.
The Council is also updating the Self-Assessment Questionnaires (SAQs) and SAQ AOCs for v4.0.1 and will announce when these new versions are available.
"The GEAR has been a great forum for communication between the assessor community and the PCI Security Standards Council. This communication and cooperation showed its power recently in the recent changes to the PCI DSS v4.0.1 ROC template. The PCI Security Standards Council listened to comments from QSA companies on the hardships the original PCI DSS v4.0 ROC template was causing and quickly moved to implement suggestions from the GEAR community and other stakeholders to improve the template. I am impressed with the speed these changes were made, and am excited to roll out this new template to our team." Gary Glover "Working with the PCI DSS v4.0 Report on Compliance (ROC) template, assessors detected challenges that were very time-consuming without improving their work. Fortunately, within the Global Executive Assessor Round Table (GEAR) we had the opportunity to address this issue with PCI SSC quickly. PCI SSC responded promptly and improved the template over the course of several rapid feedback sessions. It was fun to work with PCI SSC in such a direct and agile way, and I hope this collaboration will continue into the future." Jana Ehlers "The quick turnaround of the new 4.0.1 template shows the recent step change in community engagement from the PCI SSC leadership and program management teams. Having been able to support the updates and changes as an active member of the GEAR it’s great to see how swiftly these changes have been implemented, and the approach taken to multiple stakeholders working together . The continued drive to streamline PCI’s reporting is incredibly valuable to both the assessor and the assessed, and helps everyone focus on maintaining the security controls and not just reporting on them." Andrew Barratt |