I got lucky that my new employer allowed me to go to this year’s PCI Community Meeting held in Las Vegas. It is always nice to hear things first hand versus getting the slide decks, asking questions of the people that attended about certain points in the slide decks and finding out that the people attending did not think a question was needed or they cannot remember what was said.
Probably the biggest revelation out of this year’s Community Meeting was from the Qualified Security Assessor/Approved Scanning Vendor (QSA/ASV) session the day before the Community Meeting started. It seems that the Council has finally addressed with v3 the message a lot of Qualified Security Assessor Companies (QSACs) have been putting forth regarding the time it takes to write a Report On Compliance (ROC). Those of us complaining have argued for years that the ROC writing process occupies too much of a QSA’s time (anywhere from 50% to 70% of a project). As a result, under today’s Reporting Instructions, QSAs tend to worry more about what to write than making sure their client is actually compliant and advising that client how to better maintain compliance.
The ROC will now have an overall ranking for the entire requirement that is a check box that indicates whether the requirement is ‘In Place’, ‘In Place with Compensating Control’, ‘Not Applicable’, ‘Not In Place’ or ‘Not Tested’. Then under the requirement, will be the tests for the requirement. It is with each test where the QSA will provide a list of documents reviewed, a list of people interviewed, observations made and sampling selected. QSAs will no longer have to write meaningless but Quality Assurance approved diatribes regarding a test. All that will be needed is a list of documents, a list of persons interview, a list of observations made and a list of samples taken.
Now before some of you go nuts about the check box, the Council has not adopted a check box assessment approach. QSAs are still required to conduct their assessments in a process similar to what is conducted today for a PCI DSS v2 assessment. What the Council is doing is simplifying the reporting generation and review processes. The Council finally acknowledged the fact that, other than QSAs and their QA reviewers, practically no one was reading the 300+ page tomes that were being produced – even the acquiring banks. What they are doing is making the ROC easier to review and read as well as lessening the writing requirements so that QSACs can more readily adopt automated systems to facilitate the conducting of assessments and generating the ROC. The idea is that this will then allow QSAs to focus on assisting their clients with PCI compliance related activities and fold into the ‘Business As Usual’ approach that is being rolled out with v3.
The most intriguing category is ‘Not Tested’. The Council added this category for those situations where a QSA did not test the control. This most often occurs when a QSA is relying on a Service Provider’s Attestation Of Compliance (AOC) for that control such as with firewall configuration management, network security monitoring, custom application software development or other services. The Council also indicated that Service Provider AOCs may also be getting modified so that QSAs and others relying on them can determine what PCI requirements the Service Provider’s AOCs actually tested.
Now the bad news about this great advancement forward. The Council has no idea when the final version of the Reporting Template will be available. Since v3 of the PCI DSS will not be finalized until November, they do not yet have a timeline on how quickly after the release of v3 that the Reporting Instructions will be released. As a result, QSACs will likely not be rolling out PCI DSS v3 assessments until the Reporting Template is released. One reason will be because of the major changes involved in v3 and, probably the larger reason, because none of the QSACs want to be put in remediation by the Council for creating ROCs that do not meet the Council’s Quality Assurance requirements.
On the new requirements front, there was a lot of discussion within the QSA ranks on requirement 6.5.6 regarding protection and secure deletion of device memory when cardholder data (CHD) or sensitive authentication data (SAD) were stored in memory during a transaction. As the Council has defined it in the QSA/ASV session, the QSA will interview developers to discuss what they are doing to secure memory and properly delete CHD/SAD. QSAs will also observe that developers are in fact coding for this condition. While this requirement will bring the memory scraping threat to light, most of the QSAs I talked with agreed that the proposed testing is not going to actually have any significant impact on the memory scraping threat of vSkimmer, BlackPOS and the like. And for PA-DSS certified software (v3 of the PA-DSS addresses this threat as well), the horse has already left the barn for those applications. The bottom line is that memory scraping attacks will continue to proliferate until the software vendors address the problem.
I asked a question about PCI DSS v3 requirement 1.3.7 and how it would impact merchants that have their card terminals connected to the Internet for transaction processing. Requirement 1.3.7 states:
“Place system components that store cardholder data (such as a database) in an internal network zone, segregated from the DMZ and other untrusted networks.
System components that store cardholder data must not be located in a DMZ or be accessible from the Internet or other untrusted networks”
My confusion was over how all of the merchants I encounter with card terminals that directly connect to the Internet would be able to comply with 1.3.7. After all, in most instances, these card terminals store SAD in memory until the transaction is completed. The Council representatives admitted that the wording in 1.3.7 was a problem and that they would be looking at rewording it because of this and other similar issues that create a conflict.
Finally, the other big discussion topic was ‘Business As Usual’ or BAU. For v3 of the PCI DSS, the Council wants organizations to integrate the requirements of the PCI DSS into their day-to-day processes and then periodically test that the integration has occurred and confirm that the integrated controls are working. At the QSA/ASV session BAU generated a number of questions as to what QSAs were expected to test to assess BAU. The Council admitted that BAU is only a suggested ‘best practice’, not a requirement, which placated a lot of the audience. But if you think about it, if an organization desires to be PCI compliance, BAU should already be occurring in the organization. This is obviously a reminder to organizations that do not get security to provide an incentive for further integrating security practices into their day-to-day processes.
As usual, there was a lot of information sharing between QSAs, ASVs, POs, card brands and the Council at this year’s Community Meeting. The Council members seemed more relaxed than at the roll out of v2 three years ago. Hopefully the roll out of v3 will go much less eventfully than v2.