Include documentation describing the system's abilities to comply with the PCI DSS and any features or capabilities of the system that must be added or changed in order to operate in compliance with the standards.
Explanation
Documentation is what's requested here, describing how your system complies with the PCI DSS and any features or changes needed to operate within those card-data security standards. The question also asks you to identify any features or capabilities that need to be added or modified to ensure PCI DSS compliance.
Why it's being asked: Organizations that handle payment card data must comply with PCI DSS to protect cardholder data and reduce credit card fraud. Assessors want to understand if your system has been designed with PCI compliance in mind, or if there are gaps that need to be addressed before it can be safely used in a cardholder data environment.
How to best answer it: Provide comprehensive documentation that outlines:
- How your system currently meets specific PCI DSS requirements (reference the actual requirements by number if possible)
- Any compliance gaps that exist and plans to address them
- Any third-party validations or certifications you've received
- How your system handles cardholder data, including encryption methods, access controls, and logging capabilities
Be specific about which version of PCI DSS you're compliant with (currently 4.0 is the latest), and include any relevant attestations or certifications like an Attestation of Compliance (AOC) or Report on Compliance (ROC) if available.
Guidance
Refer to PCI DSS Security Standards for supplemental guidance in this section
Example Responses
Example Response 1
Our system is designed to be fully compliant with PCI DSS v4.0 We maintain comprehensive documentation of our compliance in our 'PCI DSS Compliance Package' which includes our current Attestation of Compliance (AOC) and Service Provider Responsibility Matrix Key compliance features include: 1) End-to-end encryption of cardholder data using AES-256, 2) Role-based access controls with multi-factor authentication for all administrator access, 3) Complete audit logging of all access to cardholder data, 4) Network segmentation isolating cardholder data environment, 5) Automated vulnerability scanning and patching processes Our system undergoes annual PCI DSS assessment by a Qualified Security Assessor (QSA) We can provide our full AOC and responsibility matrix upon request, which details how we meet each of the 12 PCI DSS requirements and associated sub-requirements.
Example Response 2
Our application is currently PCI DSS v3.2.1 compliant as documented in our 'PCI Compliance Framework' document The system implements a tokenization approach where actual credit card data is never stored in our environment but is replaced with tokens provided by our payment processor (Stripe) Our compliance documentation includes: 1) Data flow diagrams showing how cardholder data moves through our system, 2) Evidence of our quarterly vulnerability scans by Approved Scanning Vendor SecurityMetrics, 3) Documentation of our secure development practices aligned with PCI DSS Requirement 6, 4) Description of our encryption implementation for data in transit using TLS 1.2+ We are currently working on updating our compliance documentation for PCI DSS v4.0 and expect to complete this transition by Q3 2023 We can provide our current AOC upon execution of an NDA.
Example Response 3
Our system currently does not fully comply with PCI DSS requirements as we have not completed a formal assessment While we have implemented several security controls that align with PCI DSS requirements (such as encryption of data in transit using TLS 1.2, role-based access controls, and regular security patching), we have identified the following gaps that would need to be addressed before using our system in a PCI DSS environment: 1) We do not currently maintain a complete inventory of system components in scope for PCI DSS, 2) Our logging capabilities need enhancement to capture all required events specified in Requirement 10, 3) We have not implemented a formal vulnerability management program that meets Requirement 11, 4) We need to develop formal security policies aligned with PCI DSS requirements We have a compliance roadmap to address these gaps over the next 6 months and would be happy to share this plan with potential customers.
Context
- Tab
- Case-Specific
- Category
- Payment Card Industry Data Security Standard (PCI DSS)
Related questions
- Do you have a current, executed within the past year, Attestation of Compliance (AoC) or Report on Compliance (RoC)?
- Is the application listed as an approved Payment Application Data Security Standard (PA-DSS) application?
- Does the system or solutions use a third party to collect, store, process, or transmit cardholder (payment/credit/debt card) data?
- Do your systems or solutions store, process, or transmit cardholder (payment/credit/debt card) data?
- Are you compliant with the Payment Card Industry Data Security Standard (PCI DSS)?
- Are you classified as a service provider?

