Three Steps to Avoiding an “In Place With Remediation” Status

By Sherri Collis & Steve Levinson on August, 15 2022

Get latest articles directly in your inbox, stay up to date

Back to main Blog
Sherri Collis & Steve Levinson

Three steps to avoiding the new "In Place with Remediation" status and using the seven P's to help -- prior proper planning prevents p*#s poor performance!

A few months ago, we published a blogThere’s Trouble Brewing: In Place with Remediation”. In this blog post, we provide an update on the latest around In Place with Remediation status that includes comments from the PCI Council as well as some strategic advice to help reduce the probability that you find yourself in this situation.


The PCI DSS v4.x ROC Template – Frequently Asked Questions document on the Council’s site provides the following as the purpose of this new assessment finding:


“In Place with Remediation is used when a requirement was not in place
at some point during the PCI DSS assessment period, but where the entity
remediated the issue such that the requirement was in place before the
completion of the assessment. This option provides reporting transparency
so that report reviewers can better understand the entity’s security posture throughout the assessment period.”



The FAQ continues:

“In all cases where In Place with Remediation is used, the assessor must have:

  • Assurance that the entity has identified and addressed the reason why the control failed,
  • Implemented the control, and
  • Implemented ongoing processes to prevent re-occurrence of the control failure.”

The FAQ also provides examples of when this response status can be used:

  • An example of the use of In Place with Remediation is when an entity cannot provide evidence that ASV scans were conducted every quarter during the past year, but where the entity conducts the ASV scan, determined why scans were missed in the past, and implements processes to prevent re-occurrence in the future.

    Other examples include:
  • A security patch that was not applied within 30 days
  • A misconfigured network security control
  • A missing or inadequate policy document
  • Unintentional storage of unencrypted PAN
  • Unintentional storage of SAD


The Council goes on to state that assessors should compare responses year over year to identify the same problematic findings.


Based on this information, here are some key points to consider:


  • What did you have to remediate during your last PCI assessment, or even an assessment you are in the middle of right now?

  • Keeping in mind what you have had to remediate during your previous (or current) PCI assessments, consider if reporting this remediation to your acquirer or customers would create an issue for your organization. Let’s take service providers as an example:


- Have you considered the contractual terms you have with your customers for maintaining PCI compliance (would you be in breach of contract if you had a requirement with a status of “In Place with Remediation")?

- Do you have notification clauses in contracts with your customers if you become out of compliance with PCI during the term of the contract?

- Do you have any customers who would see this as an opportunity to cancel a contract or to litigate?


What are some proactive things you can do to reduce the probability of this finding? Here are three things you can do to hopefully avoid In Place with Remediation status:


1. Perform a gap assessment prior to doing the actual PCI assessment. This will help identify areas you need to remediate prior to beginning the assessment. Note that you can do a partial gap assessment to assess those areas where you know your organization has struggled in the past.


2. If applicable, review past remediation items you were required to perform during your previous assessments. Take note of any areas where you believe you may still have issues. Revisit and resolve these issues prior to your QSA beginning the assessment.


3. Strive to increase security maturity towards continuous compliance and not just during the assessment window. Assign a Program Manager to monitor the status of any maintenance items that are required to be completed throughout the year. This includes some of the following, just to name a few of those we regularly see where remediation is required:

a. Firewall rule set reviews

b. External vulnerability scans – with clean scans

c. Internal vulnerability scans – with clean scans

d. Inventory of all system components in scope of the assessment

e. Penetration tests – with clean test

f. Scope documentation (as further defined in v4.0)


As a newly certified v4.0 Assessor who has spent hundreds of hours studying v4.0 and watching the PCI SSC’s v4.0 Global Symposium, I would say that better preparation will be imperative to v4.0. I wouldn’t even consider having my QSA begin the assessment until I had the following ready and on the table for them:


  • Inventory
  • Network and data flow diagrams
  • Clean vulnerability scans
  • Clean pen test results
  • Documented scope including any changes based upon significant change


Being prepared will be key to navigating this new Standard as it will be the epitome of the seven Ps (prior proper planning prevents piss poor performance).


Let me know if we can help!

Submit a Comment

Get latest articles directly in your inbox, stay up to date