Before I answer this question, I'd like to address what a PCI DSS Report of Compliance (ROC) is. According to the...
PCI DSS assessment website, ROC is a commonly used term for the Payment Card Industry Data Security Standard (PCI DSS) assessment that Visa demands to satisfy merchant and service provider reporting requirements. With Visa's large market share, the term ROC has become common throughout the industry, but other payment card brands require reports similar to a ROC under different names, such as Discover's DISC Attestation of Compliance, American Express' Annual Executive Summary of Onsite Security Audit Report, and MasterCard's Certificate of Validation.
ROCs can be considered extremely sensitive and, in my opinion, should be kept confidential if at all possible; however, I realize that this cannot always be the case for public agencies subject to Freedom of Information Act (FOIA) requirements.
I'm not sure of any circumstance where you would not forward a ROC to a legitimate requesting agency --– such as a bank for PCI DSS --– but it is understandable why an organization may not want to share it under various circumstances. In particular, if the ROC results are not entirely positive, then such information in the wrong hands --– a competitor's, for example, or the press' --– could have serious consequences.
Something to consider: Why doesn't the legal department want to release or allow for a copy of the ROC to be sent? Perhaps by understanding its reasons better, you can decide on a more effective way to proceed.
If the reason for the legal department's reticence is the potentially insecure means of transmission of the ROC, then considerations such as encryption, courier or other highly secure methods may solve the problem.
Would it be possible to allow for the requesting authority to visit the corporation itself, where the ROC is physically located? There, under the auspices of a Non-Disclosure Agreement (NDA), they could review the document without the ROC ever being released outside of the enterprise.
Please understand that these answers are a bit constrained because I am not sure of all the circumstances. But asking some of the above questions should get you started down the right path.
For more information:
Dig Deeper on PCI Data Security Standard
Related Q&A from Ernie Hayden
In this Ask the Expert video, Ernie Hayden answers the question of what 'big data' is and outlines big data security issues in this video. Continue Reading
Every firm needs a security conscience, according to expert Ernie Hayden, who says it is critical among key CISO responsibilities. Continue Reading
Dealing with lawyers is often a challenge. Ernie Hayden offers advice for CISOs dealing with enterprise information security legal issues. Continue Reading
Have a question for an expert?
Please add a title for your question
Get answers from a TechTarget expert on whatever's puzzling you.