Before I answer this question, I'd like to address what a PCI DSS Report of Compliance (ROC) is. According to the...
PCI DSS assessment website, ROC is a commonly used term for the Payment Card Industry Data Security Standard (PCI DSS) assessment that Visa demands to satisfy merchant and service provider reporting requirements. With Visa's large market share, the term ROC has become common throughout the industry, but other payment card brands require reports similar to a ROC under different names, such as Discover's DISC Attestation of Compliance, American Express' Annual Executive Summary of Onsite Security Audit Report, and MasterCard's Certificate of Validation.
ROCs can be considered extremely sensitive and, in my opinion, should be kept confidential if at all possible; however, I realize that this cannot always be the case for public agencies subject to Freedom of Information Act (FOIA) requirements.
I'm not sure of any circumstance where you would not forward a ROC to a legitimate requesting agency --– such as a bank for PCI DSS --– but it is understandable why an organization may not want to share it under various circumstances. In particular, if the ROC results are not entirely positive, then such information in the wrong hands --– a competitor's, for example, or the press' --– could have serious consequences.
Something to consider: Why doesn't the legal department want to release or allow for a copy of the ROC to be sent? Perhaps by understanding its reasons better, you can decide on a more effective way to proceed.
If the reason for the legal department's reticence is the potentially insecure means of transmission of the ROC, then considerations such as encryption, courier or other highly secure methods may solve the problem.
Would it be possible to allow for the requesting authority to visit the corporation itself, where the ROC is physically located? There, under the auspices of a Non-Disclosure Agreement (NDA), they could review the document without the ROC ever being released outside of the enterprise.
Please understand that these answers are a bit constrained because I am not sure of all the circumstances. But asking some of the above questions should get you started down the right path.
For more information:
- Learn how to reduce scope for a PCI DSS audit in this expert response.
- Tokenization for PCI? Learn more about this emerging technology.
Dig Deeper on PCI Data Security Standard
Related Q&A from Ernie Hayden
Dealing with lawyers is often a challenge. Ernie Hayden offers advice for CISOs dealing with enterprise information security legal issues. Continue Reading
Which will be more likely to further your infosec career: A certification, or an advanced degree? Expert Ernie Hayden weighs in. Continue Reading
While employee termination may be necessary in cases of insecure conduct, most employees are more encouraged by the carrot than the stick when it ... Continue Reading