Hold Your Horses

UPDATE: The ROC Reporting Template is available as a PDF on the Document Library page after the Reporting Template and Forms banner almost all the way down the page. The Word version of the ROC Reporting Template is now available from the PCI Portal. No word yet on the PA-DSS and ROV Reporting Template.

Yes, the PCI SSC released the final version of the PCI DSS v3.2, an updated Glossary and Summary of Changes document on their Web site this morning, but we are missing a key piece.  The Report On Compliance (ROC) Reporting Template.

Why is that important you might ask?

The ROC Reporting Template is the document that contains all of the tests that a QSA/ISA needs to conduct to prove that an organization is PCI compliant.  It tells you and your QSA/ISA the evidence needed to gather, how to gather the evidence and level of effort required.  Without that information, an assessment under v3.2 cannot be performed.  Let alone do we truly know the breadth and depth of the changes the Council has made.

The Council promised on their Webinar a month ago that all documents would be released on the same date.  But as of this writing, the ROC Reporting Template is missing in action.

Until we have that document, we have nothing.

Also of note is that the PA-DSS v3.2 and its related Report On Validation Reporting Template are also missing in action as well.


7 Responses to “Hold Your Horses”

  1. 1 Fred
    May 9, 2016 at 12:14 PM

    Do we know when a new Prioritized Approach document will be available?

    Thank you,

  2. 3 David Grow
    April 29, 2016 at 11:51 AM

    The PDF version is out now of the ROC reporting template. Still waiting on the Word version.

  3. April 28, 2016 at 2:42 PM

    I haven’t checked the Portal yet for the Word version, but the PDF version is in the public documents library now.


    • April 28, 2016 at 2:59 PM

      That is still the PCI DSS and not the ROC Reporting Template. Supposedly the Reporting Template will be available late tomorrow, April 29. Taht template was typically only available on the Portal, not through the general Web site.

  4. 6 Linda Rocco
    April 28, 2016 at 12:04 PM

    They same on the same day so there’s still time left but I agree that it would’ve been best if they had provided the DSS and SAQ/AOC/ROC at the same time. As you pointed, the standard itself is useless without the assessment documents.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

Welcome to the PCI Guru blog. The PCI Guru reserves the right to censor comments as they see fit. Sales people beware! This is not a place to push your goods and services.

April 2016

%d bloggers like this: