Questions about PCI documentation/reporting

[lalajane]

I'm working on standard document templates for our PCI group (we recently became an ASV and QSAC) and have three questions related to PCI documentation and formats.

1. Do we have to keep the PCI SSC logo on documents such as the ASV and QSA feedback forms, the attestation of compliance, and the compensating controls worksheet, or can we replace it with our logo (or no logo)?

2. Can we make changes to the "style" of documents such as the ASV and QSA feedback forms, the attestation of compliance, and the compensating controls worksheet to match our corporate style (as long at the overall layout is the same and the content doesn't change)?

3. The QSA feedback form in the Validation Requirements for QSAs V1.1a is different than the QSA feedback form available on the web site. For example, the feedback form in the Validation Requirements document has 5 choices for responses, but the form on the web site only has 4. And, the feedback form for the payment brands and others in the Validation Requirements document has 6 questions, but the online form only has 3. Which version of the feedback forms should we use - the versions in the Validation Requirements for QSA or the separate versions on the PCI SSC Web site?

Thanks

Jane Laroussi, CISSP, QSA

[jbhall56]

Quote:

Originally Posted by lalajane

1. Do we have to keep the PCI SSC logo on documents such as the ASV and QSA feedback forms, the attestation of compliance, and the compensating controls worksheet, or can we replace it with our logo (or no logo)?

No, you do not need to keep the PCI SSC logos on the forms. As a QSA, you should recieve or have access to the Word versions of the Security Assessment Procedures and other documentation.

Quote:

Originally Posted by lalajane

2. Can we make changes to the "style" of documents such as the ASV and QSA feedback forms, the attestation of compliance, and the compensating controls worksheet to match our corporate style (as long at the overall layout is the same and the content doesn't change)?

As far as I'm aware, any forms that go back to the card brands, PCI SSC or the like must remain "as is."

Quote:

Originally Posted by lalajane

3. The QSA feedback form in the Validation Requirements for QSAs V1.1a is different than the QSA feedback form available on the web site. For example, the feedback form in the Validation Requirements document has 5 choices for responses, but the form on the web site only has 4. And, the feedback form for the payment brands and others in the Validation Requirements document has 6 questions, but the online form only has 3. Which version of the feedback forms should we use - the versions in the Validation Requirements for QSA or the separate versions on the PCI SSC Web site?

We always use the forms from the Web site as they are always keep current.