12.4.2.1 Additional requirement for service providers only

Defined Approach Requirements

12.4.2.1 Additional requirement for service providers only: Reviews conducted in accordance with Requirement 12.4.2 are documented to include:

• Results of the reviews.
• Documented remediation actions taken for any tasks that were found to not be performed at Requirement 12.4.2.
• Review and sign-off of results by personnel assigned responsibility for the PCI DSS compliance program.

Customized Approach Objective

Findings from operational effectiveness reviews are evaluated by management; appropriate remediation activities are implemented.

Applicability Notes

This requirement applies only when the entity being assessed is a service provider.

Defined Approach Testing Procedures

12.4.2.1 Additional testing procedure for service provider assessments only: Examine documentation from the reviews conducted in accordance with PCI DSS Requirement 12.4.2 to verify the documentation includes all elements specified in this requirement.

Purpose

The intent of these independent checks is to confirm whether security activities are being performed on an ongoing basis. These reviews can also be used to verify that appropriate evidence is being maintained - for example, audit logs, vulnerability scan reports, reviews of network security control rulesets - to assist in the entity's preparation for its next PCI DSS assessment.