7/31/2019 Compliance Dashboard v0.6

1/448

V0.1 Requirements and testing procedures Jan 2011

V0.2 Add merchant type for each requirements Feb 2011

V0.3 Include Prioritized Approach milestones as defined by PCIco

Add a column Priority with PCIco Milestones (1 to 6)

Add a column Status of implementation

Add a column Estimated date to completion

Add sheet actors

August 2011

V0.4 Add a sheet" What is my merchant Type?" with the full description of the merchanttypes

Add Major observations from the 2011 Verizon PCI Compliance Report for each of

the twelve requirement

Add a column "Validation instructions for QSA/ISA" from the new released ROC-

QSA Reporting Instruction Manual

October 2011

V0.5 Add Guidance for each requirements from the "Navigating PCI DSS V2.0"

Add a compensating control sheet for the definition and management of

compensating controls. Whenever a compensating control is present refer to it into

the column (in place) by the associated ID into the compensating controls sheet

Add Glossary

November 2011

What's new?

PCI Compliance Dashboard VERSIPlease feel free to use this compliance dashboard spreadsheet to sustain y

PCI compliance, to support the discussion with your internal team, QSA and a

Please send any comments, observations or suggestions to Didier_godart@ra

7/31/2019 Compliance Dashboard v0.6

2/448

Compliance Dashboard home page

More information

PCI 30 seconds newsletter - PCI what are you talking about?

PCI 30 seconds newsletter - Payment processing terminology and workflow

PCI 30 seconds newsletter - Distributing roles

PCI 30 seconds newsletter - Merchant levels

PCI 30 seconds newsletter ) What is your type?

PCI 30 seconds newsletter - PCI DSS in a nutshel

PCI 30 seconds newsletter - Define the scope of an assessment

PCI 30 seconds newsletter - certification program, striving for quality

PCI 30 seconds newsletter- The validation toolboxPCI 30 seconds newsletter - Prioritized Approach

PCI 30 seconds newsletter - Tokenization

PCI 30 seconds newsletter - the gap analysis process

PCI 30 seconds newsletter - Compensating controls, magic trick or mirage?

PCI 30 seconds newsletter - The world is not perfect!

PCI 30 seconds newsletter - Nice Look!

Thoughts on the Verizon PCI Compliance Report

Can I use compensating control to resolve vulnerabilities found during a scan?

What to do if my organization can't demonstrate four passing Internal or external scans?

Verizon 2011 PCI Compliance Report

Add an Executive Summary Tab Including # of requirements, % of compliance,

Severity (sum of all severities) depending on the selected merchant type.

Add Charts Tab including Severity per Requirement and % compliance per

requirement

Add Severity Column (= PCI defined priority for not in place requirements)

Add list boxes for the In place/not in place and Compensating control present.

All sheets are protected to avoid accidental deletion. (No password)

Instructions:

1.Select your merchant type within the sheet "Executive summary"

2.Select the appropriate answer for each requirements (Column L: Y/N/C)

3. Use the compensating controls sheet to describe your controls whenever used.

4.View your compliance progress through the "Executive summary" and " Charts"

V0.6

December 2011

https://community.rapid7.com/docs/DOC-1512https://community.rapid7.com/community/infosec/blog/2011/05/11/pci-30-sec-newsletter-1-pci-what-are-you-talking-abouthttps://community.rapid7.com/community/infosec/blog/2011/05/11/pci-newsletter-2-payment-processing-terminology-and-workflowhttps://community.rapid7.com/community/infosec/blog/2011/05/26/pci-30-sec-newsletter-3--role-distributionhttps://community.rapid7.com/community/infosec/blog/2011/06/06/pci-30-seconds-newsletter-n-4-merchant-levels-what-who-and-howhttps://community.rapid7.com/community/infosec/blog/2011/06/15/pci-30-seconds-newsletter-n-5-what-is-your-typehttps://community.rapid7.com/community/infosec/blog/2011/07/06/pci-30-sec-newsletter-8--dss-in-a-nutshellhttps://community.rapid7.com/community/infosec/blog/2011/07/14/pci-30-seconds-newsletter-9-defining-the-scope-of-the-pci-assessmenthttps://community.rapid7.com/community/infosec/blog/2011/06/30/pci-30-sec-newsletter-7--certification-programs-striving-for-qualityhttps://community.rapid7.com/community/infosec/blog/2011/06/21/pci-30-seconds-newsletter-n-6-the-validation-toolboxhttps://community.rapid7.com/community/infosec/blog/2011/08/11/pci-30-seconds-newsletter-10-prioritized-approachhttps://community.rapid7.com/community/infosec/blog/2011/08/19/pci-30-seconds-newsletter-11-tokenizationhttps://community.rapid7.com/community/infosec/blog/2011/08/31/pci-30-seconds-newsletter-12-the-gap-analysis-processhttps://community.rapid7.com/community/infosec/blog/2011/11/14/pci-30-seconds-newsletter-14-the-world-isnt-perfecthttps://community.rapid7.com/community/infosec/blog/2011/11/28/pci-30-seconds-newsletter-15-nice-lookhttps://community.rapid7.com/community/infosec/blog/2011/09/30/consideration-about-the-verizon-2011-payment-card-compliance-reporthttps://community.rapid7.com/community/infosec/blog/2011/09/26/can-i-use-compensating-control-to-resolve-vulnerabilities-found-during-a-scanhttp://localhost/ttps/::community.rapid7.com:community:infosec:blog:2011:09:22:what-to-do-if-my-organization-can-t-demonstrate-four-passing-pci-internal-or-external-scanshttp://www.verizonbusiness.com/resources/reports/rp_2011-payment-card-industry-compliance-report_en_xg.pdfhttp://www.verizonbusiness.com/resources/reports/rp_2011-payment-card-industry-compliance-report_en_xg.pdfhttp://localhost/ttps/::community.rapid7.com:community:infosec:blog:2011:09:22:what-to-do-if-my-organization-can-t-demonstrate-four-passing-pci-internal-or-external-scanshttps://community.rapid7.com/community/infosec/blog/2011/09/26/can-i-use-compensating-control-to-resolve-vulnerabilities-found-during-a-scanhttps://community.rapid7.com/community/infosec/blog/2011/09/30/consideration-about-the-verizon-2011-payment-card-compliance-reporthttps://community.rapid7.com/community/infosec/blog/2011/11/28/pci-30-seconds-newsletter-15-nice-lookhttps://community.rapid7.com/community/infosec/blog/2011/11/14/pci-30-seconds-newsletter-14-the-world-isnt-perfecthttps://community.rapid7.com/community/infosec/blog/2011/08/31/pci-30-seconds-newsletter-12-the-gap-analysis-processhttps://community.rapid7.com/community/infosec/blog/2011/08/19/pci-30-seconds-newsletter-11-tokenizationhttps://community.rapid7.com/community/infosec/blog/2011/08/11/pci-30-seconds-newsletter-10-prioritized-approachhttps://community.rapid7.com/community/infosec/blog/2011/06/21/pci-30-seconds-newsletter-n-6-the-validation-toolboxhttps://community.rapid7.com/community/infosec/blog/2011/06/30/pci-30-sec-newsletter-7--certification-programs-striving-for-qualityhttps://community.rapid7.com/community/infosec/blog/2011/07/14/pci-30-seconds-newsletter-9-defining-the-scope-of-the-pci-assessmenthttps://community.rapid7.com/community/infosec/blog/2011/07/06/pci-30-sec-newsletter-8--dss-in-a-nutshellhttps://community.rapid7.com/community/infosec/blog/2011/06/15/pci-30-seconds-newsletter-n-5-what-is-your-typehttps://community.rapid7.com/community/infosec/blog/2011/06/06/pci-30-seconds-newsletter-n-4-merchant-levels-what-who-and-howhttps://community.rapid7.com/community/infosec/blog/2011/05/26/pci-30-sec-newsletter-3--role-distributionhttps://community.rapid7.com/community/infosec/blog/2011/05/11/pci-newsletter-2-payment-processing-terminology-and-workflowhttps://community.rapid7.com/community/infosec/blog/2011/05/11/pci-30-sec-newsletter-1-pci-what-are-you-talking-abouthttps://community.rapid7.com/docs/DOC-1512

7/31/2019 Compliance Dashboard v0.6

3/448

Contributor

Peter Hill

Didier Godart

Risk Product Manager

Rapid7

+32 498787744

SkypeID Dgozone

didier_godart@rapid7.co

m

Didier Godart

Risk Product Manager

Rapid7

+32 498787744

SkypeID Dgozone

didier_godart@rapid7.co

m

Didier GodartRisk Product Manager

Rapid7

+32 498787744

SkypeID Dgozone

didier_godart@rapid7.co

m

Didier Godart

Risk Product Manager

Rapid7

+32 498787744

SkypeID Dgozone

didier_godart@rapid7.co

m

About Didier About Rapid7 Join the community!

ON 0.5ur journey to

cquiring banks.

pid7.com

http://be.linkedin.com/in/didiergodarthttp://www.rapid7.com/https://community.rapid7.com/index.jspahttps://community.rapid7.com/index.jspahttp://www.rapid7.com/http://be.linkedin.com/in/didiergodart

7/31/2019 Compliance Dashboard v0.6

4/448

Didier Godart

Risk Product Manager

Rapid7

+32 498787744

SkypeID Dgozone

didier_godart@rapid7.co

m

About Didier About Rapid8 Join the community!

Swathy Anand

Vice President - Project

Management

Fuze Network

swathyanand@gmail.co

m

About Swathy About Fuze Network

http://be.linkedin.com/in/didiergodarthttp://www.rapid7.com/https://community.rapid7.com/index.jspahttp://www.linkedin.com/profile/view?id=14392124&locale=en_US&trk=tyahhttp://www.fuzenetwork.com/http://www.fuzenetwork.com/http://www.linkedin.com/profile/view?id=14392124&locale=en_US&trk=tyahhttps://community.rapid7.com/index.jspahttp://www.rapid7.com/http://be.linkedin.com/in/didiergodart

7/31/2019 Compliance Dashboard v0.6

5/448

ORGANIZATION NAME

Merchant Type: D

PCI-DSS REQUIREMENTS % compliance# of

Requirements# in Place # not i