PCI Report on Compliance

If your company collects, transmits, stores or processes credit cardholder data, you will need to create a PCI DSS Report on Compliance at least annually for on-site assessments or self-reporting questionnaires. To sustain ongoing compliance after the initial point-in-time assessment, your company needs to design and implement a set of controls specific to PCI and security.

The PCI Security Standards Council provides a template for an attestation of compliance:

Executive Summary

The PCI Security Standards Council provides a template for an attestation of compliance:

Executive Summary

Entity’s payment card business description
High level network diagram

Description of Scope of Work and Approach Taken

How the assessment was made
Environment
Network segmentation used
Details for each sample set tested
Any international entities requiring compliance with PCI DSS
Wireless networks or applications
Version of PCI DSS used to conduct assessment (2.0 is the latest)

Details About Reviewed Environment

Network diagrams
Cardholder data environment
List of hardware and software in the cardholder data environment (CDE)
Service providers
Third-party applications
Individuals interviewed
Documentation reviewed
Reviews of managed service providers

Contact Information and Reporting Date

Quarterly Scan Results

Including the four most recent ASV (approved scanning vendor) scan results

Findings and Observations

Requirements and sub-requirements
Explain N/A responses
Validation of all compensating controls

When it comes to documenting details about your reviewed environment, any of your managed service providers/PCI hosting providers should be able to produce their own attestation of compliance report to inform your company about their controls and security. This can save you the time it takes to review and report on their compliance as it affects your company and cardholder data.

References:
PCI DSS Quick Reference Guide (Version 2.0) (PDF)