Frequently Asked Question

Can a partial PCI DSS assessment be documented in a Report on Compliance (ROC)?

Where an entity wishes to perform a partial PCI DSS assessment against only a subset of PCI DSS requirements, it is acceptable to document such an assessment using the Report on Compliance (ROC). Such resulting reports are commonly referred to as a “Partial ROC” and often indicate the entity being assessed has yet to reach full compliance against PCI DSS. The Attestation of Compliance (AOC) may also be completed after the finalized partial ROC to demonstrate compliant findings.

There are a number of reasons why an entity may wish to perform a partial assessment, such as:
  • An entity may only need to validate a subset of requirements to their acquirer (e.g., using the prioritized approach to validate certain milestones);
  • An entity may wish to validate a new security control that impacts only a subset of requirements (e.g., a new encryption methodology requiring assessment to PCI DSS Requirements 3 and 4);
  • An entity may offer a service that addresses only a limited number of PCI DSS requirements (e.g., a hosting provider only wishes to validate physical security controls per PCI DSS Requirement 9 for their hosting facility);
  • An entity with an environment that fully meets all the eligibility criteria defined in a particular SAQ may use that SAQ as a reference to identify the applicable PCI DSS requirements for that environment.
  • During a Token Service Provider engagement, the TSP assessor may determine that a partial ROC needs to be completed to adequately address the additional considerations for PCI DSS Requirements 1-12 that affect TSPs.
When documenting such an assessment, the assessor will clearly communicate that testing of all requirements has not been performed by documenting which specific requirements were tested and which were not tested within both the ROC and the AOC. It is imperative that the assessor clearly define the scope of the assessment in the Summary Overview of the ROC and in relevant sections of the AOC.  Once the scope of the assessment has been documented, the assessor must ensure that the remainder of the ROC and AOC are consistent with the Summary Overview. At no point, should the AOC for the completion of a partial assessment indicate an organization’s full compliance with PCI DSS.

The PCI DSS ROC Reporting Instructions provide detailed instruction on how to properly document the findings from the testing performed, including the difference between “Not Tested” and “Not Applicable” finding. Accurate documentation of assessment activities performed and related findings allows any individual who reads the report to have a clear understanding of the report and remove any ambiguity of the scope of the assessment review.

February 2016
Article Number: 1382