Transform the Entire Approach - PCI ROC Assessments

In this post I describe the TurboQSA mechanisms for performing ROC assessments. You will learn how to improve your customers outcomes, cut 30% or more off of assessment times and earn more money as a QSA firm.

featured image for post Transform the Entire Approach - PCI ROC Assessments

In my years of performing ROC assessments, I always approached each engagement trying to improve the process and accuracy of the outcome. Environment complexity certainly would add to the headache as would nailing down stakeholders responsible for various aspects of each payment channel. Generally, the project would start with a long meeting or series of meetings with whomever I could tie down. The goal of these early meetings was to gain as much understanding about the environment as I could. I would feverishly take notes as we walked through payment processes and would go back to the hotel at days end and create a spreadsheet for each payment channel with whatever I learned. From there, I would start attacking the controls. Often times, interviews uncovered more people involved and led to churn.

Managing ROC projects this way is a hassle. It does not scale well and if you have more than one assessment going, it can lead to errors and confusion.

With TurboQSA, the assessment workflow is sensible. You start by creating the client. Enter the key details about them. Of course, all of this is automatically carried over to the ROC and AOC(s). Next, you create the ROC project. In defining the project, you will input the payment channels. For some operations this might only be a single channel. For others, there could be 2 or more. While defining payment channels, if you already know that, for example, the retail payment channel has implemented a validated P2PE solution, you can set that option in the payment channel and the software will hide all non-relevant controls.

Client Setup

Another time-saving feature is the ability to input a “default not-applicable” response. By doing so, everywhere a control is not applicable (for example all of requirement 1 for a P2PE implementation), the system will insert that response.

Of course, you can show and report on anything you want, but this serves as a great way to start. If you have multiple payment channels and they have different requirements, the system will display what is required and for what payment channel(s) it is required:

Inputs Screen

After defining payment channels, it is time to dive deep on who is responsible for the various aspects of each environment. So those early interviews are more about looking at a defined set of responsibility areas (by payment channel) and creating a user for each of them. Responsibility areas include:

  • AntiVirus Software Configuration And Management
  • ASV Scans
  • Database Administrators / Owners
  • Encryption Of Data In Transit
  • Encryption Standards And Implementation For Storage Of CHD
  • Firewall And Routers Configuration And Management
  • Human Resources And Training Coordinator
  • Incident Response And Log Monitoring
  • Information Security Management
  • Internal And External Vulnerability Scanning
  • Network Architecture - Operations And Management
  • Patch Installation Management
  • Penetration Testing
  • Physical Access Control
  • Servers And Workstations Configuration And Management
  • Software Development Processes
  • User Account Management
  • Users Privilege Management
  • Wireless Configuration And Management

After you create one or more client user accounts for each responsibility area, things get a whole lot easier.

The best place to start is to perform a “1-click” evidence request operation:

1-click evidence request

As you can see, you can schedule interviews from this screen as well.

Speaking of interviews, the easy-to-use interview interface makes quick work of setting up meaningful interviews and inviting the correct audience. It also provides an opportunity to add topics to meetings where invited parties also have responsibility for those topics.

Add Interview Topics

Of course, the software tracks all of this and correctly enters information about evidence received in the proper section of the ROC and interviews conducted in its proper spot as well as in the controls covered.

Starting to see how time is going to be significantly saved? Headache reduction is also accomplished!

As you get into entering responses for individual controls there are several key features to improve the accuracy and collaborative nature of getting the responses entered.

For example, “Hints” are a tool that allow your QSAs to look through company approved responses from prior ROCs they have performed for ideas on what was accepted. They can paste the response in and edit it, or they can simply use hints for a reminder on the intent of a control response.


Brief descriptions for all the control level features are here:

Control Level Features

More Control Level Features

Feel confident as you complete the ROC. The system will be sure you have entered a response for each payment channel and in cases where a control has a response requirement for more than one payment channel, the response will be formatted in a way that is easy to read and is clear.

Inputting the data into TurboQSA:

Inputting Responses

What it looks like on the report:

Responses in Report

This article could go on and on about the productivity enhancements built into the TurboQSA, however, that would take all the fun out of you discovering for yourself how TurboQSA can accelerate and transform your PCI ROC business. But I will show you one more thing…

When you are ready to see the ROC or AOC, you simply push one button and wait less than 30 seconds.

ROC Output

Of course, you can do this any time throughout the entire process. Click here to start your free trial of TurboQSA or click here for more information and a demonstration.

Bring smiles back to your customers AND your QSAs!

For more information contact today!