PCI DSS 4.0: "In Place with Remediation" Reporting Option Removed

7. December 2022

With the release of PCI DSS version 4.0, the Payment Card Industry Security Standards Council (PCI SSC) introduced a new reporting option, "In Place with Remediation." This option was intended to promote security as an ongoing process by allowing organizations to identify areas for improvement year over year. Stakeholders welcomed this as a valuable tool for improving security. Within the PCI SSC Board of Advisors as well as the Global Executive Assessor Roundtable (GEAR), however, concern was voiced that the "in Place with Remediation" option could falsely give the impression of different qualities of compliance. 

"In Place with Remediation" option to be removed from document templates 

The PCI SSC is responding to industry feedback and will remove the "In Place with Remediation" reporting option from the PCI DSS v4.0 Report on Compliance (ROC), Attestations of Compliance (AOCs) and Self-Assessment Questionnaires (SAQs) templates by the end of 2022. To continue to help organizations establish a continuous security process, PCI auditors will document areas for improvement in a separate worksheet in the future. The worksheet and supporting documents are scheduled for release in early 2023.

The changes are limited to the above-mentioned validation documents and do not affect the validity of PCI DSS 4.0 beyond that.

Is your PCI DSS v4.0 certification currently in progress or recently completed?

According to our current knowledge, no major impact on ongoing or recently completed PCI DSS 4.0 assessments is expected, as the changes only affect documentation. The PCI SSC asks affected companies to contact the credit card organizations or their merchant bank in case of doubt. 

We will inform you as soon as new information is available from the Council.

Also interesting:

A5: BSI Publishes New Audit Framework for Trustworthy AI

A5: BSI Publishes New Audit Framework for Trustworthy AI

The German Federal Office for Information Security (BSI) has published the Community Draft of the AI Audit and Assurance Assessment Architecture (A5) (currently available in German only), thus starting the consultation phase. A5 is intended to create a standardized...

AI Vulnerability Storm: When a Lack of Speed Becomes a Risk

AI Vulnerability Storm: When a Lack of Speed Becomes a Risk

Current developments in AI systems show that vulnerabilities are found more quickly, suitable exploits are developed more quickly, and attacks are increasingly implemented automatically. This significantly reduces the time between discovery and exploitation. What used...

Bafin Publishes 9th Amendment to MaRisk

Bafin Publishes 9th Amendment to MaRisk

On 30 June 2026, all credit institutions and financial services institutions in Germany received an important circular: Following the consultation phase, the German Federal Financial Supervisory Authority (Bafin) published the 9th amendment to its Minimum Requirements...

Categories

Categories