The PCI Security Standards Council (SSC) has recently released the latest version of the 2.0 Report on Compliance (ROC) Reporting Instructions (formerly called the “scorecard”). This document had previously been for use by QSA auditors only; it is the secret sauce used to perform a Level 1 PCI audit. For those of you lucky enough to have gone through a L1 audit, the “scorecard” is the super secret document that the QSA kept stored on the triple encrypted drive in the TEMPEST-approved tamperproof tungsten-lined briefcase handcuffed to her wrist. QSA’s were not allowed to share the criteria on which the company was being audited (scored) on; the reporting instructions require the QSA to perform one or more of the following validation steps for every requirement:
Observation of system settings, configurations
Interview with personnel
Observation of process, action, state
Well, good news everyone! The document is now available to the general public. Hopefully, this will eliminate some of those awkward moments that seem to always come up during an audit: QSA: “You need a documented policy that says you use network address translation. That’s not written down anywhere.”Customer: “Can you show me where it says I need to do that in the DSS?”QSA: “You won’t find it there, but I promise it says it somewhere. I’m not allowed to show you, just trust me, you need it”.Customer: “Can you just let me peek over your shoulder?” QSA: “If you saw it, I would have to have your memory wiped. Have you ever seen “Men in Black“”?Customer: “I’m calling Security”. It’s pretty hard to follow the rules when you’re not allowed to know what they are. With this document’s public release a company can actually evaluate their controls and compliance program against the same standards that a QSA will use; no more guessing how to meet a requirement, no more conversations where the auditor gives a seemingly arbitrary failing finding, with a “because I said so” for the explanation. This should also allow for organizations to get a much better picture of the intent and expected implementation of a requirement by understanding how the controls will be assessed. Well done, SSC.
Necessary cookies help make a website usable by enabling basic functions like page navigation and access to secure areas of the website. The website cannot function properly without these cookies.
YouTube session cookie.
Marketing cookies are used to track visitors across websites. The intention is to display ads that are relevant and engaging for the individual user and thereby more valuable for publishers and third party advertisers.
Analytics cookies help website owners to understand how visitors interact with websites by collecting and reporting information anonymously.
Preference cookies enable a website to remember information that changes the way the website behaves or looks, like your preferred language or the region that you are in.
Unclassified cookies are cookies that we are in the process of classifying, together with the providers of individual cookies.
Cookies are small text files that can be used by websites to make a user's experience more efficient. The law states that we can store cookies on your device if they are strictly necessary for the operation of this site. For all other types of cookies we need your permission. This site uses different types of cookies. Some cookies are placed by third party services that appear on our pages.
Discover why security operations teams choose NetSPI.