PCI DSS 4.0 Evidence Guidelines
In this episode of our PCI DSS v4.0 blog, we explain assessors’ responsibilities for providing evidence of their assessment findings, and how to prepare the provision of appropriate evidence for PCI DSS v4.0 assessments.
Assessment process
During a PCI DSS assessment, assessors check the extent to which a company has implemented the PCI DSS requirements.
Typically, an assessment process includes the following steps:
- Review of documents,
- Review of system components/settings,
- Review of processes,
- Review of physical conditions,
- review of protocols/results, and
- Interviews with staff.
This does not change with the migration to PCI DSS v4.0.
Evidence requirements
It usually remains hidden for the assessed company how an assessor makes notes and files evidence. We provide insight into the corresponding changes with PCI DSS v4.0.
With the new reporting template for PCI DSS v4.0 as well as with an update of the PCI DSS Program Guide for QSAs, the PCI SSC has now clarified that they require the assessor to file a corresponding evidence for each assessment step. The PCI SSC checks whether the assessor companies meet this by taking samples.
For documents, this is easy: the respective document itself is the required evidence. Regarding protocols/results, it is similar – here you just have to make sure that it is clear which system or process you are talking about.
If you send a screenshot or file to an assessor as evidence, please make sure to include the information which system component and/or process it is about. When reviewing system components/settings, the assessor must take dedicated notes on the system and setting in question.
When reviewing processes or physical conditions, the respective condition must be described in detail and it must be shown what conclusions the assessor draws from the observation. Similarly, in an interview, the assessor is expected to roughly write down the questions and answers.
Please give the assessor enough time to take notes during the assessment. In many cases, it can shorten the paperwork if the assessor is provided with copies or screenshots or is allowed to take photos.
The PCI DSS v4.0 lists about 250 sub-items for the 12 main requirements — the assessor will need a correspondingly large amount of evidence.
Retention requirements
The PCI DSS Program Guide requires that all of the above evidence must be securely retained by the assessor company for at least three years and made available to the PCI SSC and associated companies upon request.
For reasons of privacy or confidentiality, companies sometimes do not allow the assessor to take and file certain evidence. In this case, the PCI SSC stipulates that the evidence may be filed with the assessed company instead. The requirements for retention period and availability are the same in this case.
Since the obligations to provide evidence have become greater with PCI DSS v4.0, this case is expected to occur more frequently in the future.
If you expect that not all evidence may be passed on to the assessor, the best way to prepare yourself as an assessed company is by
- preparing an audit-proof storage of the evidence for at least three years,
- keeping a list of documents and evidence not handed over during the assessment,
- preparing a written confirmation for the assessor, in which you
- name the place of storage,
- name the contact person whom the PCI SSC can contact if it wishes to inspect evidence, and
- confirm audit-proof storage until a specific date at least three years in the future.
Dealing with deviations
How about evidence if the assessment did not immediately demonstrate compliance with all requirements, but deviations were found?
Planned deviations
In the simplest case is when you, as the assessed company, have already recognised in advance that you cannot fulfil a requirement or do not want to fulfil it in the specified way. In this case, you have already prepared documentation of a compensating control or a customised approach for the assessment. A PCI DSS expert can also help you with this — but it must not be the same individual who then assesses the implementation.
We will comment in detail on the Customised Approach in a later episode of our PCI DSS v4.0 blog.
In both cases, the assessor will review the evidence of your company’s Compensating Control or Customised Approach, ask questions if necessary, and then derive and implement appropriate testing methods. The obligations to collect evidence result from the respective assessment method.
Unplanned deviations — “INFI”
If unplanned deviations from PCI DSS requirements occur during an assessment period, they must be remedied and the remediation verified by the assessor. This was already the case in PCI DSS v3.2.1.
Additionally, PCI DSS v4.0 additionally explicitly requires that the cause for the occurrence of the deviation is identified and that processes are implemented to prevent a recurrence of such a deviation. Only if this is the case, the assessor can still consider the requirement as in place.
All deviations, their causes, corrective and preventive controls must be documented in the new “Items Noted For Improvement” (INFI) document for any PCI DSS v4.0 assessment.
The assessor provides the INFI document to the assessed company at the end of the assessment and both parties sign it. The INFI document proves that the assessed company has successfully managed the deviations. The document can be used internally within the assessed company — e.g. in compliance and risk departments — and can also be shared with third parties if desired. There is no obligation to present the INFI document anywhere, nor is it referenced in the Attestation of Compliance (A.O.C).
Particularly for processes that have to be repeated regularly, it happens from time to time that one instance is delayed, e.g. within the implementation of
- security awareness trainings,
- inspection of payment devices,
- vulnerability scans, or
- installation of patches.
It is best to consider in advance how you can design your processes in such a way that you adhere to the prescribed time periods and notice delays immediately.
For further questions feel free to contact Mrs Jana Ehlers.