There are three ongoing steps for adhering to the PCI DSS:

  • Assess – identifying all locations of cardholder data, taking an inventory of your IT assets and business processes for payment card processing and analyzing them for vulnerabilities that could expose cardholder data.
  • Fix – fixing identified vulnerabilities, securely removing any unnecessary cardholder data storage, and implementing secure business processes.
  • Report – documenting assessment and remediation details, and submitting compliance reports to the acquiring bank and card brands you do business with (or other requesting entity if you’re a service provider).
  • Scope – determine which system components and networks are in scope for PCI DSS
  • Assess – examine the compliance of system components in scope following the testing procedures for each PCI DSS requirement
  • Report – Assessor and or entity completes required documentation (e.g. Self-Assessment Questionnaire (SAQ) or Report on Compliance (ROC)) including documentation of all compensating controls.
  • Attest – Complete the appropriate attestation of all Compliance.

Submit – submit the SAQ, ROC, AOC, and other requested supported documentation such as ASV scan reports. 

Link to ROC template: https://www.pcisecuritystandards.org/documents/PCI-DSS-v3_2-ROC-Reporting-Template.pdf

  • Remediate – If required, perform remediation to address requirements that are not in place and provide an updated report.

error: Content is protected !!