Protecting Information About an Entity’s Security Posture, The processes related to becoming and maintaining a PCI DSS compliant environment results in many artifacts that an entity may consider sensitive and may want to protect as such, including such items as the following:
The Report on Compliance or Self-Assessment Questionnaire (the associated Attestation of Compliance is not considered sensitive and third-party service providers (TPSPs) are expected to share their AOC with customers).
Network diagrams and account data-flow diagrams, and security configurations and rules.
System configuration standards.
Cryptography and key management methods and protocols.
Entities should review all the artifacts related to PCI DSS controls or the assessment and protect them in accordance with the entity’s security policies for this type of information.
TPSPs are required (PCI DSS Requirement 12.9) to support their customers with the following:
Information needed for customers to monitor the TPSPs’ PCI DSS compliance status (to enable the customer to comply with Requirement 12.8), and
Evidence that the TPSP is meeting applicable PCI DSS requirements where the TPSP’s services are intended to meet or facilitate meeting a customer’s PCI DSS requirements, or where those services may impact the security of a customer’s CDE.
This section does not impact or negate a TPSP’s obligation to support and provide information to their customers per Requirement 12.9. For more details about expectations for TPSPs and relationships between TPSPs and customers, see Use of Third-Party Service Providers. Protecting Information About an Entity’s Security Posture, The processes related to becoming and maintaining a PCI DSS compliant environment of Confidential and Sensitive Information by Qualified Security Assessor Companies
Each Qualified Security Assessor (QSA) Company signs an agreement with PCI SSC that they will adhere to the Qualification Requirements for QSAs. The Protection of Confidential and Sensitive Information section of that document includes the following:
“The QSA company must have and adhere to a documented process for protection of confidential and sensitive information. This must include adequate physical, electronic, and procedural safeguards consistent with industry-accepted practices to protect confidential and sensitive information against any threats or unauthorized access during storage, processing, and/or communicating of this information.
The QSA Company must maintain the privacy and confidentiality of information obtained in the course of performing its duties and obligations as a QSA Company, unless (and to the extent) disclosure is required by legal authority.”