Frequently Asked Question
Can a partial PCI DSS assessment be documented in a Report on Compliance (ROC)?
There are a number of reasons why an entity may wish to perform a partial assessment, such as:
- An entity may only need to validate a subset of requirements to their acquirer (e.g., using the prioritized approach to validate certain milestones);
- An entity may wish to validate a new security control that impacts only a subset of requirements (e.g., a new encryption methodology requiring assessment to PCI DSS Requirements 3 and 4);
- An entity may offer a service that addresses only a limited number of PCI DSS requirements (e.g., a hosting provider only wishes to validate physical security controls per PCI DSS Requirement 9 for their hosting facility);
- An entity with an environment that fully meets all the eligibility criteria defined in a particular SAQ may use that SAQ as a reference to identify the applicable PCI DSS requirements for that environment.
- During a Token Service Provider engagement, the TSP assessor may determine that a partial ROC needs to be completed to adequately address the additional considerations for PCI DSS Requirements 1-12 that affect TSPs.
The PCI DSS ROC Reporting Instructions provide detailed instruction on how to properly document the findings from the testing performed, including the difference between “Not Tested” and “Not Applicable” finding. Accurate documentation of assessment activities performed and related findings allows any individual who reads the report to have a clear understanding of the report and remove any ambiguity of the scope of the assessment review.