With the release of PCI DSS version 4.0, the Payment Card Industry Security Standards Council (PCI SSC) introduced a new reporting option, "In Place with Remediation." This option was intended to promote security as an ongoing process by allowing organizations to identify areas for improvement year over year. Stakeholders welcomed this as a valuable tool for improving security. Within the PCI SSC Board of Advisors as well as the Global Executive Assessor Roundtable (GEAR), however, concern was voiced that the "in Place with Remediation" option could falsely give the impression of different qualities of compliance.
"In Place with Remediation" option to be removed from document templates
The PCI SSC is responding to industry feedback and will remove the "In Place with Remediation" reporting option from the PCI DSS v4.0 Report on Compliance (ROC), Attestations of Compliance (AOCs) and Self-Assessment Questionnaires (SAQs) templates by the end of 2022. To continue to help organizations establish a continuous security process, PCI auditors will document areas for improvement in a separate worksheet in the future. The worksheet and supporting documents are scheduled for release in early 2023.
The changes are limited to the above-mentioned validation documents and do not affect the validity of PCI DSS 4.0 beyond that.
Is your PCI DSS v4.0 certification currently in progress or recently completed?
According to our current knowledge, no major impact on ongoing or recently completed PCI DSS 4.0 assessments is expected, as the changes only affect documentation. The PCI SSC asks affected companies to contact the credit card organizations or their merchant bank in case of doubt.
We will inform you as soon as new information is available from the Council.
