PCI DSS 4.0: "In Place with Remediation" Reporting Option Removed

7. December 2022

With the release of PCI DSS version 4.0, the Payment Card Industry Security Standards Council (PCI SSC) introduced a new reporting option, "In Place with Remediation." This option was intended to promote security as an ongoing process by allowing organizations to identify areas for improvement year over year. Stakeholders welcomed this as a valuable tool for improving security. Within the PCI SSC Board of Advisors as well as the Global Executive Assessor Roundtable (GEAR), however, concern was voiced that the "in Place with Remediation" option could falsely give the impression of different qualities of compliance. 

"In Place with Remediation" option to be removed from document templates 

The PCI SSC is responding to industry feedback and will remove the "In Place with Remediation" reporting option from the PCI DSS v4.0 Report on Compliance (ROC), Attestations of Compliance (AOCs) and Self-Assessment Questionnaires (SAQs) templates by the end of 2022. To continue to help organizations establish a continuous security process, PCI auditors will document areas for improvement in a separate worksheet in the future. The worksheet and supporting documents are scheduled for release in early 2023.

The changes are limited to the above-mentioned validation documents and do not affect the validity of PCI DSS 4.0 beyond that.

Is your PCI DSS v4.0 certification currently in progress or recently completed?

According to our current knowledge, no major impact on ongoing or recently completed PCI DSS 4.0 assessments is expected, as the changes only affect documentation. The PCI SSC asks affected companies to contact the credit card organizations or their merchant bank in case of doubt. 

We will inform you as soon as new information is available from the Council.

Also interesting:

Top 3 Vulnerabilities in Mobile App Pentests

Top 3 Vulnerabilities in Mobile App Pentests

During their penetration tests (pentests), our security analysts at usd HeroLab repeatedly uncover vulnerabilities that pose significant risks to corporate security. They increasingly encounter the same vulnerabilities. Our blog series "Top 3 Vulnerabilities" presents...