PCI Report on Compliance

April 7, 2012
8 Views

If your company collects, transmits, stores or processes credit cardholder data, you will need to create a PCI DSS Report on Compliance at least annually for on-site assessments or self-reporting questionnaires. To sustain ongoing compliance after the initial point-in-time assessment, your company needs to design and implement a set of controls specific to PCI and security.

The PCI Security Standards Council provides a template for an attestation of compliance:

Executive Summary

If your company collects, transmits, stores or processes credit cardholder data, you will need to create a PCI DSS Report on Compliance at least annually for on-site assessments or self-reporting questionnaires. To sustain ongoing compliance after the initial point-in-time assessment, your company needs to design and implement a set of controls specific to PCI and security.

The PCI Security Standards Council provides a template for an attestation of compliance:

Executive Summary

  • Entity’s payment card business description
  • High level network diagram

Description of Scope of Work and Approach Taken

  • How the assessment was made
  • Environment
  • Network segmentation used
  • Details for each sample set tested
  • Any international entities requiring compliance with PCI DSS
  • Wireless networks or applications
  • Version of PCI DSS used to conduct assessment (2.0 is the latest)

Details About Reviewed Environment

  • Network diagrams
  • Cardholder data environment
  • List of hardware and software in the cardholder data environment (CDE)
  • Service providers
  • Third-party applications
  • Individuals interviewed
  • Documentation reviewed
  • Reviews of managed service providers

Contact Information and Reporting Date

Quarterly Scan Results

  • Including the four most recent ASV (approved scanning vendor) scan results

Findings and Observations

  • Requirements and sub-requirements
  • Explain N/A responses
  • Validation of all compensating controls

When it comes to documenting details about your reviewed environment, any of your managed service providers/PCI hosting providers should be able to produce their own attestation of compliance report to inform your company about their controls and security. This can save you the time it takes to review and report on their compliance as it affects your company and cardholder data.

References:
PCI DSS Quick Reference Guide (Version 2.0) (PDF)

You may be interested

The Merger of Technology and Nutrition
Health care
0 shares152 views
Health care
0 shares152 views

The Merger of Technology and Nutrition

jaredjaureguy - May 26, 2017

The influx of technology in healthcare has revolutionized the domain. It has opened doors for new opportunities in the field…

3 Surprising Facts About the American Healthcare System
Health care
0 shares264 views
Health care
0 shares264 views

3 Surprising Facts About the American Healthcare System

Ryan Kh - May 24, 2017

The status of American healthcare has been in the news frequently over the past several months due to the new…

SEO vs Paid Search vs Social Media – Which is Better for Healthcare Marketing
eHealth
0 shares418 views
eHealth
0 shares418 views

SEO vs Paid Search vs Social Media – Which is Better for Healthcare Marketing

Rehan Ijaz - May 23, 2017

Digital media has transformed marketing practices in just about every industry. Healthcare marketing has surprisingly been affected by the digital…