Preparing for a Report on Compliance (ROC)

Latest update:
8 Aug
2022

There’s no getting away from the fact that preparing for a PCI DSS ROC can be a bit of a trial, and particularly for those who are experiencing their first visit from a QSA.  Like most trials, the good news is that future visits do get easier as your infrastructure gets up to spec.  That first assessment, however, will often involve some significant preparation work and investment,  such as a redesign of network architecture or the purchase of hardware and software.  It could also mean changes in working practices, the introduction cryptographic controls and change processes as you elevate the security posture of the environment to a level acceptable for a successful PCI DSS audit.

Scoping

Scoping is the single most important part of any PCI DSS assessment.  Establishing your scope can be challenging, especially if different types of payment channels exist which contribute to a complex cardholder data environment (CDE).  The QSA will spend a considerable amount of time understanding all technologies, systems, people and processes involved in each of these payment channels.

Segmentation

One of the biggest misconceptions we keep coming across is that network segmentation is a PCI DSS requirement.  Let’s put this one well and truly to bed: segmentation is categorically not a PCI DSS requirement!  Having said that, in today’s modern environments, there are lots of benefits in segmenting your CDE, not least in easing the pain and limiting the scope of an assessment.  Without segmentation, every single system, node, workstation and networking device would need to comply with every requirement of the Standard.  By segmenting the systems that are directly involved in the storing /transmitting/processing of cardholder data (CHD) from the rest of the organisation’s network, the scope of the assessment will be reduced significantly. And don’t forget that any system connected to those systems directly handling CHD, also need to be segmented.  

Understand where data resides and whether it’s required at all

Apart from establishing your scope and segmenting your CDE, the biggest challenge organisations face is understanding where CHD is stored.  We often find organisations which are not aware of all the CHD that is being retained.  CHD can be stored in locations as diverse as legacy systems’ (potentially offsite) backups or Excel databases in the finance department.  Without a well-defined data retention and disposal policy, many organisations find themselves storing CHD unnecessarily.  Quite often, this is due to the existence of a process that has never been questioned.  URM’s QSAs are well versed in understanding processes and procedures and helping to identify any oversights.

Preparation

What can you do to ensure the assessment goes as smoothly as possible?  The glib one-word answer is preparation.  In addition to securing the availability of all necessary staff members, ensure that all relevant policies, procedures, network and data flow diagrams are readily available to the assessor.  Not being able to provide documents in a timely manner will not result in a failed control, but the delay may prolong the time an assessor needs to spend onsite, potentially increasing the costs of an assessment.

‘Cheat sheet’

To avoid any confusion or surprises during an assessment, and to gain insights as to what an assessor will ask/observe/validate/verify, we strongly recommended that you download a copy of the ‘PCI DSS Requirements and Security Assessment Procedures’ and the ‘PCI DSS ROC Reporting Instructions’ from the PCI Council’s  document library (https://www.pcisecuritystandards.org).

Thumbnail of the Blog Illustration
Information Security
updateD:
9/8/2022
5 Ways to Reduce Your PCI DSS Scope

Almost all organisations that implement the Payment Card Industry Data Security Standard (PCI DSS) struggle with the scope of the applicability of the Standard. Even veterans of PCI DSS compliance...

Read more
Thumbnail of the Blog Illustration
Information Security
updateD:
8/8/2022
Preparing for a Report on Compliance (ROC)

There’s no getting away from the fact that preparing for a PCI DSS ROC can be a bit of a trial, and particularly for those who are experiencing their first visit from a QSA. Like most trials...

Read more
Thumbnail of the Blog Illustration
Information Security
updateD:
5/8/2022
How can URM help you to achieve PCI compliance and what is our approach?

In our previous blog, we looked at where your PCI compliance journey starts. The first step is understanding the flow of your payment card data – by that we mean where payment card information...

Read more
"
URM's diligence during these audits has resulted in the business as a whole pulling together to collectively ensure that we up to par with the requirements. While our working relationship with URM’s consultant is fantastic, we are held to account for every bullet point of every requirement on every audit, which is precisely what we expect. The consultant’s efforts in ensuring that our PCI compliance is audited correctly is highly appreciated, as it gives the company an accreditation that we can be proud of and that we can show off to existing and prospective customers as proof of our security posture. A huge thank you to URM for providing such a valuable service.
Open Banking Platform
contact US

Let us help you

Let us help you in your compliance journey by completing the form and letting us know how we can best support you.