What Do You Mean PCI DSS Compliance Requires Evidence?

I learned the hard way: PCI DSS Compliance requires evidence to back up any “In place” check mark.

Back in 2011, before I knew what PCI DSS Compliance was, I took a contract project manager role to lead a number of information security projects to help secure my former company’s cardholder data environment. 

The powers above my pay grade decided to assess as a level 1 merchant as the company was about to tip over the magical 6 million transaction volume. It was a smart decision albeit a painful one. 

As the organization geared up for a Report on Compliance assessment, resistance from application developers, the network team, the active directory team, and just about anyone who was tasked with implementing new technology or fixing broken processes ran rampant.

It was eye opening for these teams to go from never being bothered by PCI DSS Compliance because someone else was completing a SAQ-D and never asked for evidence to a rather rude awakening when asked to provide screen shots of configuration settings.

Not to mention being in the hot seat for an interview with the QSA. 

Where's the disconnect?

No one understood that there was disconnect between the PCI Data Security Standard requirements and testing procedures to the actual assessment instructions.

Being one office over from one of the senior IT Security directors, I can tell you there were some very loud discussions.

Back then I didn’t know much about PCI Compliance but I did know how to research. It didn’t take me long to find the PCI DSS Reporting template. I found the key to being able to prove PCI DSS Compliance.

I stood in the senior director’s office and showed him examples of what we needed to do and the proof we needed to back up each requirement as “in place.” For a brief moment, he was speechless.

The struggle between checking a PCI DSS requirement as “in place” and backing it up with proof is real.

The disconnect between the standard and the reporting template remains a challenge for merchant organizations to grapple with. Especially Level 2 merchants about to tip into Level 1 territory.

It’s one thing to check a box that states “Configurations of NSC’s are reviewed a least once every six months to confirm they are relevant and effective.” (PCI DSS Requirement 1.2.7)

It’s quite another thing to:

  • prove you have procedures defined for six month reviews
  • provide documentation of these reviews
  • schedule interviews to confirm that reviews happen every six months
  • and provide proof that configurations no longer being supported by a business justification are removed or updated

You’d be surprised at how often this seemingly basic security requirement gets missed. 

As the saying goes,“the proof is in the pudding”

Or in this case, the proof is in your policies, standards, processes, procedures, configuration settings, access control lists, network diagrams, interviews and so much more. 

Yes, PCI DSS Compliance is hard.

And it most certainly is a pain in the a$$ to do day in and day out. 

Trust me, I’ve been there. 

I know what you’re going through.

A PCI DSS Report on Compliance may contain over 500 pieces of evidence that makes up a final report that can be upwards of 700+ pages long. 

Sounds miserable, right?

Hopefully, Payment Card Assessments can make it less miserable and more manageable by breaking down the types of evidence you need for each requirement.

In June we published a Documentation Hierarchy article to help you understand the different types of documentation you’ll need for PCI DSS Compliance.

Now we’re taking it one step further with the evidence you need for PCI DSS compliance during an assessment as well as for continuous compliance. 

Show Me The Evidence

Whether you’re completing a Report on Compliance or an SAQ, you’ll need evidence to back up your attestation of compliance. 

Types of PCI Compliance evidence include:

  • Policies
  • Standards
  • Configuration Standards
  • Processes
  • Procedures
  • Diagrams
  • Vendor Documentation
  • Configuration Settings
  • Real Time Observations
  • Interviews
  • Sample Sets
  • Log Files
  • Data Stores
  • Key Stores
  • Access Lists
  • Inventory Lists
  • Targeted Risk Analysis’
  • Training Records and Certificates
  • Review documents
  • Employee acknowledgments

At Payment Card Assessments, we don’t want you to go through the pain, stress, and yes the suck that we did. We want to help make PCI Compliance easier for you to achieve and maintain.

While the PCI SSC has gotten better about indicating the types of compliance evidence you need inside the testing procedures, you still need to cross check it with the PCI DSS Reporting Template that QSA’s must use when completing a Report on Compliance. 

If you’re not still sure what evidence you need to have and how often you need to collect it, we’ve embraced the suck for you.

We’ve done the analysis for PCI DSS v4.0.1 and created templates that will save you time and effort because we’ve dissected the requirements, testing procedures, and reporting template so you don’t have to.

At Payment Card Assessments, we've got two templates that you can use today:

PCI DSS Requirement Frequency Template

The Ultimate PCI DSS Compliance Document & Evidence Tracker Template

These templates (and so much more) are available in our PCI Compliance Toolkit to Pro and Corporate level subscribers.

You can also find them in our Digital Download Store.


Discover more from Payment Card Assesments

Subscribe to get the latest posts sent to your email.

Leave a Reply

Discover more from Payment Card Assesments

Subscribe now to keep reading and get access to the full archive.

Continue reading