Hold Your Horses

UPDATE: The ROC Reporting Template is available as a PDF on the Document Library page after the Reporting Template and Forms banner almost all the way down the page. The Word version of the ROC Reporting Template is now available from the PCI Portal. No word yet on the PA-DSS and ROV Reporting Template.

Yes, the PCI SSC released the final version of the PCI DSS v3.2, an updated Glossary and Summary of Changes document on their Web site this morning, but we are missing a key piece.  The Report On Compliance (ROC) Reporting Template.

Why is that important you might ask?

The ROC Reporting Template is the document that contains all of the tests that a QSA/ISA needs to conduct to prove that an organization is PCI compliant.  It tells you and your QSA/ISA the evidence needed to gather, how to gather the evidence and level of effort required.  Without that information, an assessment under v3.2 cannot be performed.  Let alone do we truly know the breadth and depth of the changes the Council has made.

The Council promised on their Webinar a month ago that all documents would be released on the same date.  But as of this writing, the ROC Reporting Template is missing in action.

Until we have that document, we have nothing.

Also of note is that the PA-DSS v3.2 and its related Report On Validation Reporting Template are also missing in action as well.


7 Responses to “Hold Your Horses”

  1. 1 Fred
    May 9, 2016 at 12:14 PM

    Do we know when a new Prioritized Approach document will be available?

    Thank you,

    • May 10, 2016 at 6:52 AM

      The Council has not provided any guidance on that issue. I would guess it may be a month or two at least, possibly even more.

  2. 3 David Grow
    April 29, 2016 at 11:51 AM

    The PDF version is out now of the ROC reporting template. Still waiting on the Word version.

  3. April 28, 2016 at 2:42 PM

    I haven’t checked the Portal yet for the Word version, but the PDF version is in the public documents library now.


    • April 28, 2016 at 2:59 PM

      That is still the PCI DSS and not the ROC Reporting Template. Supposedly the Reporting Template will be available late tomorrow, April 29. Taht template was typically only available on the Portal, not through the general Web site.

  4. 6 Linda Rocco
    April 28, 2016 at 12:04 PM

    They same on the same day so there’s still time left but I agree that it would’ve been best if they had provided the DSS and SAQ/AOC/ROC at the same time. As you pointed, the standard itself is useless without the assessment documents.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s


If you are posting a comment, be patient, as the comments will not be published until they are approved.

If your organization has a PCI opportunity, is in need of assistance with a PCI issue or if you would like the PCI Guru to speak at your meeting, you can contact the PCI Guru at pciguru AT gmail DOT com.

I do allow vendors to post potential solutions in response to issues that I bring up in posts. However, the PCI Guru does not endorse any specific products, so "Caveat Emptor" - let the buyer beware. Also, if I feel that the response is too "sales-ee", I reserve the right to edit or not even authorize the response.


April 2016
« Mar   May »

Enter your email address to subscribe to the PCI Guru blog and receive notifications of new posts by email.

Join 1,997 other followers


%d bloggers like this: