Preparing for a Report on Compliance (ROC)

Alastair Stewart
|
Senior Consultant at URM
|
PUBLISHED on
8 Aug
2022

Table of Contents

There’s no getting away from the fact that preparing for a PCI DSS ROC can be a bit of a trial, and particularly for those who are experiencing their first visit from a QSA.  Like most trials, the good news is that future visits do get easier as your infrastructure gets up to spec.  That first assessment, however, will often involve some significant preparation work and investment,  such as a redesign of network architecture or the purchase of hardware and software.  It could also mean changes in working practices, the introduction cryptographic controls and change processes as you elevate the security posture of the environment to a level acceptable for a successful PCI DSS audit.

Scoping

Scoping is the single most important part of any PCI DSS assessment.  Establishing your scope can be challenging, especially if different types of payment channels exist which contribute to a complex cardholder data environment (CDE).  The QSA will spend a considerable amount of time understanding all technologies, systems, people and processes involved in each of these payment channels.

Segmentation

One of the biggest misconceptions we keep coming across is that network segmentation is a PCI DSS requirement.  Let’s put this one well and truly to bed: segmentation is categorically not a PCI DSS requirement!  Having said that, in today’s modern environments, there are lots of benefits in segmenting your CDE, not least in easing the pain and limiting the scope of an assessment.  Without segmentation, every single system, node, workstation and networking device would need to comply with every requirement of the Standard.  By segmenting the systems that are directly involved in the storing /transmitting/processing of cardholder data (CHD) from the rest of the organisation’s network, the scope of the assessment will be reduced significantly. And don’t forget that any system connected to those systems directly handling CHD, also need to be segmented.  

Understand where data resides and whether it’s required at all

Apart from establishing your scope and segmenting your CDE, the biggest challenge organisations face is understanding where CHD is stored.  We often find organisations which are not aware of all the CHD that is being retained.  CHD can be stored in locations as diverse as legacy systems’ (potentially offsite) backups or Excel databases in the finance department.  Without a well-defined data retention and disposal policy, many organisations find themselves storing CHD unnecessarily.  Quite often, this is due to the existence of a process that has never been questioned.  URM’s QSAs are well versed in understanding processes and procedures and helping to identify any oversights.

Preparation

What can you do to ensure the assessment goes as smoothly as possible?  The glib one-word answer is preparation.  In addition to securing the availability of all necessary staff members, ensure that all relevant policies, procedures, network and data flow diagrams are readily available to the assessor.  Not being able to provide documents in a timely manner will not result in a failed control, but the delay may prolong the time an assessor needs to spend onsite, potentially increasing the costs of an assessment.

‘Cheat sheet’

To avoid any confusion or surprises during an assessment, and to gain insights as to what an assessor will ask/observe/validate/verify, we strongly recommended that you download a copy of the ‘PCI DSS Requirements and Security Assessment Procedures’ and the ‘PCI DSS ROC Reporting Instructions’ from the PCI Council’s  document library (https://www.pcisecuritystandards.org).

Alastair Stewart
Senior Consultant at URM
Alastair is one of the most experienced and proficient Payment Card Industry Qualified Security Assessors (PCI QSAs) in the UK. He has completed in excess of one hundred successful reports on compliance (RoCs) against different PCI DSS versions along with supporting the completion of self-assessment questionnaires (SAQs).
Read more

Are you looking for a PCI QSA?

As a long-established PCI QSA, URM is able to deliver a full PCI QSA-led audit and produce a report on compliance (RoC) as well as deliver a full QSA-led self-assessment questionnaire (SAQ)
Thumbnail of the Blog Illustration
Information Security
Published on
22/3/2024
Common Questions When Preparing to Transition to PCI DSS v4.0

URM’s blog answers key questions about the practicalities of PCI DSS v4.0 transition assessments and how you can best prepare for a successful v4.0 transition.

Read more
Thumbnail of the Blog Illustration
Information Security
Published on
5/8/2022
PCI DSS Reduction and Assessment

The Payment Card Industry Security Standards Council (PCI SSC) defines scoping as “the process of identifying all system components....

Read more
Thumbnail of the Blog Illustration
Information Security
Published on
8/8/2022
PCI Policies, Procedures and Evidence – What is expected?

While it’s one of the areas that IT and security departments find challenging, documentation (and compliant evidence)....

Read more
Moving from our existing Pen Testers after 10 years was a difficult decision but I am really glad we did. It's been a pleasure working with you. The Pen Testing was extremely thorough and as hoped you were open to a collaborative deeper delve, far beyond what we were required to do for PCI DSS, which has been very useful.
Payment Service Provider
contact US

Let us help you

Let us help you in your compliance journey by completing the form and letting us know how we can best support you.