RBS WorldPay Merchant Reporting Tool
This document has been created in order for us to easily track your journey to compliance.
We are required to send quarterly reports to both Visa and MasterCard on our merchants progression
towards full PCI DSS compliance, going forward these reports will include progression against the
Below is a simple guide on how to fill out this report, but if you have any questions please don't
hesitate to contact your dedicated PCI manager or email the team at PCIDSS@rbs.co.uk .
There are two other tabs contained within this document:
1. PCI DSS requirements: This includes all requirements contained in the full PCI DSS, you should
work your way through these using the drop down tabs to choose the right answer from the following:
"compliant", "in progress", "non compliant", "not applicable". If the requirement is not applicable you
should include the reason why.
2. Summary: The summary page contains fields for you to complete about your organisation and
gives you an overview of your current status against the Prioritised Approach. If you answer that you
are compliant with half of the requirements then the summary page will show you as 50% compliant,
and advise you how this fits against the approach.
This reporting tool should be used by all non compliant merchants in order to send us monthly
updates on the progress made towards PCI DSS compliance.
We require merchants to update this tool and send it to us on a monthly basis until compliance has
been achieved. Once fully compliant a merchant can confirm this to us in several ways:
1. A compliant ROC (report on compliance from a QSA)
2. A compliant SAQ (only if levels 2-4)
3. A compliant RBS WorldPay Merchant Reporting Tool and separate attestation of compliance
(only if levels 2-4)
For all of the above options we will also require compliant quarterly external vulnerability scans if your
business has any external facing IP addresses in scope.
our journey to compliance.
d on our merchants progression
nclude progression against the
e any questions please don't
m at PCIDSS@rbs.co.uk .
in the full PCI DSS, you should
right answer from the following:
quirement is not applicable you
e about your organisation and
pproach. If you answer that you
ill show you as 50% compliant,
in order to send us monthly
thly basis until compliance has
his to us in several ways:
m a QSA)
arate attestation of compliance
ternal vulnerability scans if your
Requirement 9: Restrict physical access to cardholder data.
9.6 Physically secure all paper and electronic media that contain cardholder data. 5
9.7 Maintain strict control over the internal or external distribution of any kind of media 5
that contains cardholder data, including the following:
9.7.1 Classify the media so it can be identified as confidential. 5
9.7.2 Send the media by secured courier or other delivery method that can be accurately 5
9.8 Ensure management approves any and all media containing cardholder data that is 5
moved from a secured area (especially when media is distributed to individuals).
9.9 Maintain strict control over the storage and accessibility of media that contains 5
9.9.1 Properly maintain inventory logs of all media and conduct media inventories at least 5
9.10 Destroy media containing cardholder data when it is no longer needed for business 1
or legal reasons as follows:
9.10.1 Shred, incinerate, or pulp hardcopy materials so that cardholder data cannot be
Requirement 12: Maintain a policy that addresses information security for
employees and contractors.
12.1 Establish, publish, maintain, and disseminate a security policy that accomplishes 6
12.1.1 Addresses all PCI DSS requirements that sit within milestone 1 1
12.1.1 Addresses all PCI DSS requirements that sit within milestone 2 2
12.1.1 Addresses all PCI DSS requirements that sit within milestone 5 5
12.1.1 Addresses all PCI DSS requirements that sit within milestone 6 6
12.8 If cardholder data is shared with service providers, maintain and implement policies 2
and procedures to manage service providers, to include the following:
12.8.1 Maintain a list of service providers.
12.8.2 Maintain a written agreement that includes an acknowledgement that the service 2
providers are responsible for the security of cardholder data the service providers
12.8.3 Ensure there is an established process for engaging service providers including 2
proper due diligence prior to engagement.
12.8.4 Maintain a program to monitor service providers’ PCI DSS compliance status. 2
Status (MUST BE COMPLETED IF
Name of organisation
Contact within Organisation Phone number
Current QSA (If applicable)
External Validation via: <---- please choose from drop down menu.
Compliance Validation Vulnerability ASV
Scans Date of last scan
Result of last scan
Payment Application Vendor
Payment Application Application name and version
PA DSS compliant? <---- please choose from drop down menu.
Face to Face?
Payment Acceptance Methods Mail Order/ Telephone Order? <---- please choose from drop down menu.
Milestone Goals Percent Compliant Percent In Progress Target Date for
Remove sensitive authentication data and limit data
retention. This milestone targets a key area of risk for entities that
have been compromised. Remember – if sensitive authentication
1 data and other cardholder data are not stored, the effects of a 0.0% 0.0%
compromise will be greatly reduced. If you don't need it, don't
Protect the perimeter, internal, and wireless networks. This
milestone targets controls for points of access to most
2 compromises – the network or a wireless access point. 0.0% 0.0%
Secure payment card applications. This milestone targets
controls for applications, application processes, and application
servers. Weaknesses in these areas offer easy prey for
3 compromising systems and obtaining access to cardholder data. N/A N/A N/A
Monitor and control access to your systems. Controls for this
milestone allow you to detect the who, what, when, and how
4 concerning who is accessing your network and cardholder data N/A N/A N/A
Protect stored cardholder data. For those organizations that
have analyzed their business processes and determined that they
must store Primary Account Numbers, Milestone Five targets key
5 protection mechanisms for that stored data. 0.0% 0.0%
Finalize remaining compliance efforts, and ensure all controls
are in place. The intent of Milestone Six is to complete PCI DSS
requirements, and to finalize all remaining related policies,
6 procedures, and processes needed to protect the cardholder data 0.0% 0.0%
Overall 0.0% 0.0%