Documenting the Impact of System Changes for PCI DSS Compliance

PCI DSS requirement says that change documentation must include an assessment of the impact of the change “so that all affected parties can plan appropriately for any processing changes.”

Who are the affected parties?

It depends on your environment, but consider:

  • Reviewers
  • QA testers
  • Documentation writers
  • Users
  • Database Administrators
  • Identity and Access Managers
  • Support staff
  • Business process owners
  • Risk owners
  • Privacy owners

What kinds of impacts need to be documented?

  • How to test the changes
  • What is expected as a result of the change
  • If a field no longer accepts a specific type of input, or a new field has been implemented
  • If a new payment processor has been implemented
  • If logs have been discovered to contain sensitive information
  • If cryptographic conditions have changed and what consequences that may have (e.g. key rotation and re-key of databases, or requiring a browser upgrade)
  • Whether storage requirement predictions may change
  • Whether bandwidth requirements could increase
  • Whether API functions have been added or changed
  • Whether the change will impact the scope for PCI DSS compliance

What kinds of tests should be performed?

  • Static and dynamic testing of the application
  • Static and dynamic testing of the servers
  • Database schema reviews
  • Database content review
  • Log content review
  • API function review, and logging entries made by all API calls
  • Cryptographic compatibility reviews (if changes were made)
  • Diagnostics and elevated logging capability (if any) review
  • Access management review if the changes included client login facilities
  • Access management review if the end-user has access to their card information after submission

Testing guidance for Requirement 6.4.6 asks the QSA to look at all the documentation produced as part of a significant change, which could include any or all of the above  change management and collateral paperwork.

Related Articles By Topic


Contact Us
Chat with our team about your PCI DSS compliance program.
Schedule a call
Contact Us