There really is such a thing, but you rarely ever see or hear of one. But unlike the Loch Ness Monster or Big Foot, they can and do exist.
There is no reason that an organization cannot file a Report On Compliance (ROC) that is not compliant. The topic came up again because we have a client that is addressing some issues related to complying with v1.2 of the PCI DSS. Their remediation efforts will not be done for another five or six months, but their PCI ROC needs to be filed in one month and they do not think they can put in place compensating controls to address the remaining issues. As a result, there will be a couple of items on their PCI ROC that are in the dreaded ‘Not In Place’ column.
The first thing everyone needs to be aware is that there is nothing in the PCI DSS that says an organization must file a compliant PCI ROC. It is just that filing a compliant PCI ROC makes for much less work for the acquiring bank and the merchant or service provider involved. But there are those out there that believe that a merchant or service provider must file a complaint ROC and that is just false.
So, what happens if an organization files a non-compliant PCI ROC?
If an organization needs to file a non-compliant PCI ROC, then they need to be prepared for the additional scrutiny required by their acquiring bank and/or the card brands. When a merchant or service provider files a non-compliant PCI ROC, the organization that receives the PCI ROC must initiate an effort to track the requirements that are Not In Place. They need to periodically follow up on the Not In Place requirements and report the status of any Not In Place requirements to the card brands. The term ‘periodically’ is left to the acquiring bank to determine. But how often they follow up can be as little as quarterly and as often as weekly. The most common timeframe seems to be monthly meetings, but your experience will likely vary. This process is required to continue until all Not In Place requirements are deemed in place.
So, how does the acquiring bank determine that your organization’s Not In Place items are now In Place? Well that is where things are not so well defined. What is defined is that the merchant or service provider informs the acquiring bank or card brands during the follow up meeting/call that the Not In Place requirements are now In Place. What is not well defined is what happens after being informed that requirements are no In Place. Since there are no procedures documented in the PCI DSS, by the PCI SSC in an FAQ or by the card brands, what happens next varies from acquiring bank to acquiring bank.
In most cases, the acquiring bank requests the merchant or service provider to get their QSA to update the ROC by reflect the changes in the Not In Place requirements. My Firm’s problem with this approach is that in updating the PCI ROC, we are only looking at those requirements that have been updated from Not In Place to In Place. We are not re-conducting all of the testing in the PCI ROC. As a result, we only update those requirements that have changed and we place a disclaimer in the PCI ROC that states what items were updated and when those updates occurred. We do not update the date of the report as the entire report was not updated.
Our preferred approach is to issue a letter with an attachment that contains the individual requirements that are now In Place. The letter documents the scope of the re-review and the approach taken to test the updated requirements. This approach allows for the updating of the PCI ROC, but only those items that changed and does not alter the original PCI ROC that was issued. In this way, anyone reviewing the original report and the update has a clear understanding of what changed and why.