PCI DSS Level 1 Assessments: Taming the Beast (Continued)


The apprehension for an assessor, delivering their first level 1 PCI DSS assessment, must be similar to the feelings that I
went through when I was told that I was deploying to Iraq on dog patrol duties (having been away from this type of role
for more than nine years) and that I would be reteaming with a dog called ‘Snap’ (as shown in Figure 1) at RAF Akrotiri,

Figure 1: Service Dog ‘Snap’ – Basrah, Iraq

Now, it wasn’t unusual for doghandlers to go through a reteam, with their new service dog. What was unusual was that,
rather than the usual 5 days, this reteam was scheduled for a duration of two weeks.
When I asked why, I was not prepared for the answer.
‘Snap’ (aka ‘The Hound of Basraville’) had a quite a reputation, which had even resulted in him achieving notoriety
amongst the British Press (as shown in Figure 2).

Figure 2: https://www.mirror.co.uk/news/uk-news/the-hound-of-basraville561573?utm_source=linkCopy&utm_medium=social&utm_campaign=sharebar

Knowing this, part of my pre-deployment preparations was to go out and build an armoury of tricks and tools that I
could remember. I remember my first meeting with ‘Snap’ and how my initial thoughts started to mirror those of Red
Riding Hood:

Why, what big EYES he has!
Why, what big EARS he has!
Why, what big TEETH he has!

….. only with the last thought, I was just hoping that he wasn’t thinking the same as the Wolf:

All the better to EAT you with!

Okay, so the reason for the extended reteam schedule….. they wanted to give me an extra week to bond and become
friends with the dog, before putting the dog team under any undue excitement. (Although it turned out to be a wise decision. Later in my deployment I would discover just what his teeth felt like. At his frustration at not letting him bite down on a ‘Bad Person’, one of his canine teeth would pierce through the flesh of my left forearm as though it was a red-hot knife through butter).
However, armed with my arsenal of tricks and tools, within minutes I had ‘Snap’ literally eat out of my hand and in less than thirty minutes I was in his kennel, lead on and ready to take him out for a walk.

Although, I had so many treats and toys stuffed into every available pocket of my military-issue
uniform that I must have resembled the Ghostbusters ‘Stay Puft’ monster (as shown in Figure 3)!!!

Figure 3: Ghostbusters Stay Puft Monster

Today the BEAST comes in a new form, the PCI DSS v4.0 Report On Compliance (ROC) template. Fortunately, there are new digital tools and tricks that are available to help assessors to tame this new beast.

Investing in a tool like 27K1’s ROC Management System (RMS) would be a great place to start, so that this can be to build some additional supporting ‘tricks of the trade’.

One area of the assessment that can be made extremely efficient is the application of a Third-Party Service Provider (TPSP)’s PCI DSS compliance, and responsibilities, to an entity’s assessment.

Creating the PCI DSS AssessorsTools and Tips of the trade’: For the TPSP Elements
Okay, when carrying out a level 1 assessment, it is important to understand the full extent of the scope and all of the assets that make up this scope. In Jim Seaman’s PCI DSS v4.0 book, as depicted in Figure 4, he visualizes the scope as being different color zones (Dark Blue, Light Blue & Dark Green).

Figure 4: PCI DSS Scope

Now, Figure 4 was constructed from the PCI SSC’s example scoping diagram, from the PCI DSS v4.0. However, it must be noted that scoping for PCI DSS must encompass more than just system components and must include all assets that are identified as being Dark Blue or Light Blue (In-Scope).
Why do I make this differentiation?
As you can see from NIST’s definition, assets extend way beyond just the system components.

An item of value to stakeholders.

An asset may be tangible (e.g., a physical item such as hardware, firmware, computing platform,
network device, or other technology component) or intangible (e.g., humans, data, information,
software, capability, function, service, trademark, copyright, patent, intellectual property, image, or
The value of an asset is determined by stakeholders in consideration of loss concerns across the entire
system life cycle. Such concerns include but are not limited to business or mission concerns.

Source: NIST SP 800-160, Vol. 2, Rev 1 Developing Cyber-Resilient Systems

Your TPSPs should be considered as an Intangible Asset and, as such, be maintained in an asset inventory (PCI DSS Requirement 12.8.1). As you can see in Figure 5, using the 27K1 RMS, you would start by creating a Master TPSP list, where you would input all the details required for the assessment.

Figure 5: 27K1 RMS Master TPSP List

In doing it this way, the assessors need only enter these details once, where they have several entities using the same TPSPs. Having completed this, the assessors are then able to tag the appropriate TPSPs to their respective entities (as shown in Figures 6 – 8).

Figure 6: Select TPSPs

Figure 7: Assign TPSPs

Figure 8: Create TPSP Listing

Having completed the Entity’s TPSP listing, the assessor can then request the supporting documentation for review, e.g.,

  • PCI DSS Requirements RACI Matrix (12.8.1 & 12.8.5).
  •  TPSP Written Agreements/Contracts (12.8.2).
  •  TPSPs’ PCI DSS Attestations Of Compliance (12.8.4).

Armed with said documents, the assessor can then start to complete the TPSP elements of the assessment:

  1. Complete Part 1, Section 4.4 (as shown in Figures 9 – 12).

Figure 9: Tag the TPSPs

Figure 10: Compile TPSP List

Figure 11: Edit TPSP table.

Figure 12: Completed TPSP listing

  1. Use RACI to identify the PCI DSS Requirements that have been wholly, or partially, outsourced to a TPSP and employ the content from the 4.4. table to help populate any TPSP ‘In Place’ responses (as shown in Figure 13):

Figure 13: PCI DSS Requirement 9.1.1

By creating a narrative that is based on the PCI SSC’s own guidance, within the V4.0 ROC template (as depicted in Figure 14), the RMS can formulate a response that can be simply pasted in, after the QSA has reviewed the supporting documentation and interviewed the relevant personnel (as depicted in Figure 15).

Figure 14: Page xii – PCI DSS v4.0 ROC Template

Figure 15: TPSP Responsibility Narrative

However, please note that the manual process for the referencing the supporting evidence still requires the assessor’s specialist skills and knowledge to ensure that the supporting evidence validates that the TPSP responsibilities meet the PCI DSS Requirement, to be marked as ‘In Place’ (as shown in Figure 16).

Figure 16: Evidential Referencing

As you can see the 27K1 RMS is aligned with the instructions for the ROC Template and ensures that the response narrative is specific to the appropriate TPSP, and that appropriate supporting evidence has been referenced.


If you are a QSA Company or a Company that has Internal Security Assessors (ISAs), who are permitted to carry out level 1 assessments, I would highly recommend that you check out how the 27K1 RMS can be a very effective tool to add to your existing toolsets. With the PCI DSS v4.0 template being far longer and requiring much more involved and time-consuming practices, an
important decision needs to be made as to how you can offset and balance these new challenges and demands that become part and parcel of a PCI DSS v4.0 ROC assessment.

Burning the Candle at Both Ends’?
What ‘Trade Offs’ do you have available to you?

 Invest time and effort to create internal tools and tricks?
 Do you ask your assessors to deliver the v4.0 assessments in the same time frames, as a v3.2.1 assessment?
 Does this increase the Quality Assurance time needed?
 Do you ask your existing clients to pay for the increased time needed to complete these much more involved assessments?
 Can you offset these additional time-consuming requirements through digitalization of your assessment practices, enabling the technology to bear the burden of much of the administrative task so that your highlyspecialist, experienced and skilled assessors can focus on doing the validation work?


The uplift from a PCI DSS v3.2.1 to a v4.0 assessment should not be underestimated or taken lightly. The enhancement of the assessment practices, requiring both evidence-based, and evidence-focused approaches to be applied to effectively complete the new ROC template format (circa 166% longer) will require far more of an assessor’s time.

Failure to respond effectively to these new time-consuming challenges may be a very risky decision which could have serious consequences. However, by investing in suitable technology your organisation could easily absorb these risks by having the technology save your assessors time and to help improve their consistency and efficiency.

By all means consider your options and weigh them off against investing in the 27K1 RMS, to truly ascertain its potential Return On Investment (ROI).

Hey, don’t take my word for it!

Why not check out the 27K1 RMS for yourself and book a demo, today?