I Just Could Not Keep My Mouth Shut

I will give Hoyt Ketterson the credit for my question to the Council in the Assessor Session at the end of the 2022 North American PCI Community Meeting in Toronto.

There I was, just minding my own business with a list of questions I wanted to ask the Council. Hoyt asked about compensating control worksheets (CCW) and used an example of a merchant that had missed one Approved Scanning Vendor (ASV) scan that caused him to create a CCW for that issue.  That triggered a flashback to a client I had dealt with a couple of months earlier who had 12 monthly external scanning reports from an ASV, but due to an information security employee leaving, they only had two “ASV Certified Scans” because they forgot to click on the scanning portal site to make the other two quarterly scans “ASV Certified”. So much for those other questions on my list.

Before discussing my question and the rationale behind it, a quick bit of history as to how we got the ASV program in the first place.

Back before we had the PCI SSC, we had the various Card Brand compliance programs, Mastercard had their Site Data Protection (SDP) program that focused on eCommerce site security.  [That program still exists by the way, but now it supplements the PCI DSS.]  Part of that program was that Mastercard operated a security lab in the EU that prospective ASV organizations were required to scan against and produce a report of all of the vulnerabilities they found. Representatives of Mastercard would review those scanning results and would certify the organization to be an ASV if they passed the test.

Back then, consulting firms that were Qualified Security Assessor Companies (QSAC) were typically an ASV as well [You do NOT want a client going elsewhere for services you can also provide.] and were using tools like Internet Security Scanner and Nessus to conduct scans.  The process to get vulnerability scans run was a very manual and, at times, a time-consuming process.  It was an art form to properly configure these tools to get accurate results.  This is why Mastercard set up a testing lab to insure that ASVs were providing accurate results.  ASVs were required to test against the Lab and recertify annually to ensure that their scans are accurate. [Today, that still occurs but the vendor instructs all ASVs how to properly configure their specific scanner to pass the PCI SSC scanning testing.]

With that background, here is my question.

“What is the point of the ASV program today?”, I asked the round table participants.

Fast forward to today and now most ASVs are just rebranding and reselling ASV portals from Qualys, Tenable and Rapid7.  Which obviously leads to my question given where we are today and the rationale for my question.

• The ASV of today is nothing like the ASV of yesteryear from when things started with Mastercard’s SDP program. The process is hardly manual and is totally automated.
• A person no longer manually configures, initiates or monitors the scanning process. In 99% of cases, the only time an ASV is involved is if the merchant or service provider needs to discuss false positive results and to have them removed from the report.
• ASV scanning today uses the same scanner and settings. The only thing that makes an ASV scan an “ASV Certified Scan” is that the end user typically clicks on a button or check box to make it such.
• The assessed entity is the one that initiates the scans, not the ASV. Which really makes you wonder about the requirement for ensuring that the person running the scan is qualified. What qualifications does anyone need to click a button to start a preset, preconfigured scan?
• Now a days, vulnerability scans are scheduled so no human being initiates a scan. Which makes you wonder why someone has to check a box or click a button to initiate an ASV Certified Scan. Why is that also not automated?
• 99% of ASVs use a portal operated by one of known vulnerability scanner vendors. Unlike the good old days when each ASV configured and operated one of many vulnerability scanners. This can lead to some frustration with the ASVs that are not also the vendor of the scanner. I have been personally involved in situations where the vendor makes a change to their scanner and while they pass their ASV test, my organization did not. Thus forcing me to work with the vendor (also an ASV competitor) to tweak the configuration of their scanner so that my organization can also pass.

The bottom line is that the current ASV scanning process is nothing like the processes that began the ASV certification process almost 20 years ago.

The Council has agreed that further discussion on the subject is needed to understand today’s external vulnerability scanning processes and has promised to initiate those discussions. So stay tuned as change may be coming.

Advertisement

Guru And David Get The Last Word!

About a month ago, Coop and Ben were interviewed on the Sycurio QSA Seminar Series. Well, now the “better half” of the PCI Dream Team are speaking at the Sycurio QSA Seminar Series on Friday, September 30, at 11AM ET/1500 UTC.

We are going to “dish” on this year’s PCI North American Community Meeting as well as I am sure discuss what we have learned about PCI DSS v4 and whatever else comes up in our conversation as well as answering questions from the audience.

For anyone that wishes to attend, you can register here. 

David Mundhenk and I look forward to “seeing” you at this great session.

2022 North American Community Meeting

I am looking forward to physically seeing people at this year’s PCI North American Community Meeting.

Sadly, only two of the four PCI Dream Team members will be in attendance.

Ben Rothke is being forced to stay home and manage audits that are occurring during the Community Meeting. David Mundhenk is also going to be otherwise engaged that week as well.

While we will miss not having the Dream Team together in person, Art “Coop” Cooper and I will struggle along without them.

This year the Council will have a lot to discuss regarding PCI DSS v4 and we are anticipating a good exchange of information and clarifications.

If you are coming to Toronto, safe travels. We cannot wait to see you all there.

The Next PCI Battleground – The Customized Approach

Flexibility is how the Council and their spokespeople tout PCI DSS v4 and the Customized Approach.  The Customized Approach will allow your organization to make the PCI DSS your own and similar comments are made. 

While those are all very true statements, the Council is wrapping the Customized Approach with some caveats that are not necessarily being broadcast to the general public. 

The first caveat that comes through loud and strong during the PCI DSS v4 Transition Training that QSAs are required to take in order to use v4.  That caveat is that the Customized Approach is really only for organizations that have a mature controls environment.  The Council’s rationale for this is that the Customized Approach is not for organizations that have anything but strong and mature control environments because the Customized Approach requires mature and functioning controls that can be tested to show they are always functioning.  This point was repeatedly pointed out whenever the Customized Approach was discussed.  When you look at the documentation being required to use the Customized Approach it is very clear that only organizations that have strong control environments are going to be able to provide the documentation and evidence necessary to meet the Customized Approach documentation and evidence standards. 

The next caveat is that much of the documentation and evidence that an organization needs to provide for the Customized Approach MUST BE developed by the organization, not their QSA.  This goes back and reinforces the idea that only organizations with strong and mature control environments are going to be able to use the Customized Approach because such organizations are going to be the only ones that have their act together to be able to produce the necessary documentation and evidence.   

If your organization does need assistance developing a Customized Approach, do not expect your QSA to be able to help you because they cannot and still maintain their assessor independence.  So, organizations will have to get assistance from a different QSA if they need such help.  While that QSA can be from the same QSAC, I am guessing that a lot of QSACs will want to have a different QSAC provide such assistance so that they ensure they are independent. 

The final caveat is that the Customized Approach is not a new compensating control worksheet (CCW) exercise.  Not even close and far from it!  The Customized Approach is going to require organizations to not only provide documentation of the approach and how it works, but that it manages the risk at or below the PCI DSS approach, and evidence that the approach works and works consistently by conducting their own testing (hopefully independent, i.e., internal audit) and providing complete documentation of that testing.  From all of that your QSA reviews the documentation, develops their own testing procedures and validates that the Customized Approach is functioning as designed.  Better yet, the Council has been very, very clear to QSAs that this is not something an organization can just toss together when they figure out, they have a PCI compliance problem.  This needs to have been implemented and thought out long before the organization got to conducting their PCI assessment. 

All of which leads to why this will be the next battleground. 

At any point in the PCI assessment, the QSA can reject the proposed Customized Approach for a number of reasons.  Some of which could be: 

• Inability of the organization to provide evidence that they have a mature and strong controls environment, 

• A lack of complete documentation for the Customized Approach, 
• Failure of the proposed controls to meet the PCI DSS requirements addressed by the Customized Approach, 
• Lack of adequate organizational testing (i.e., testing not performed over a period of time), and  
• Failure of the QSA to prove that the Customized Approach works through their own testing. 

Keep in mind that QSACs are going to be on the hook for approving these Customized Approaches.  If they blow up and result in a breach, this will put not only the organization on a legal hook, but also the QSAC that approved the Customized Approach.  In these days of risk mitigation and management, most QSACs are going to be very, very careful as to what Customized Approaches get approved.  I would not be surprised if QSAC senior management and their legal counsels will be involved in that approval process.  All of which will most likely stretch out getting a finalized ROC out the door. 

As someone that runs a PCI practice, while implied by the Council in their guidance on this subject, I would require documentation that an organization’s controls environment is mature and strong.  First thing that fails that test is if the organization has had any control failures since their last PCI assessment.  In my very humble opinion, if you have any reason to need a CCW, you do not get to use the Customized Approach.  Nothing says your controls are not mature and strong is that you cannot execute required PCI controls 99% of the time.  All of this starts to indicate to me that business as usual (BAU) and that an organization monitors those BAUs is going to become a requirement of QSAs to sign off on Customized Approaches.  If an organization has not integrated PCI controls into their business processes and is not monitoring their compliance on a near real time basis, then do not expect your QSA to sign off on using a Customized Approach.  Yes, control environments are not perfect, and mistakes/errors happen.  But if you cannot prove that you knew almost immediately that the control failed and that you took action to correct the situation when you found the failure, then I really have difficulty judging your environment as mature and strong. 

Who does the organization appeal to if they do not like the QSA’s assessment of their Customized Approach?  While not clearly articulated by the Council, I am assuming it will be the acquiring banks or even the Card Brands. 

The lesson here is, be very careful what you wish for.  While you now have a way to customize the PCI DSS, it is not a panacea nor is it going to be available to everyone.  Time will tell how this experiment works out. 

PCI DSS v4 Transition Training Arrives

I received an email from the Council today that announced that PCI DSS v4 Transition Training will begin to be available through the PCI Portal the week of July 11 for all current QSAs.

According to their message:

“The training takes between 4-5 hours to complete and is based on documents that are already available:

• PCI DSS Requirements and Testing Procedures Version 4.0
• PCI DSS v4.0 Report on Compliance Template
• PCI DSS v3.2.1 to v4.0 Summary of Changes
• PCI DSS v4.0 AOCs and SAQs
• PCI DSS v4.x Report on Compliance Template – Frequently Asked Questions

We recommend assessors download these documents before taking the training course. There will be an exam that follows the training. The exam is an open book, 25 multiple-choice questions, which you will have 60 minutes to complete. The questions are based on the course content and associated documents (listed above). You will be granted access to the exam via the Portal once you have completed the training. Once you pass the exam, with a 75% or higher, the website listings will be updated to reflect that you are now qualified to lead an assessment using PCI DSS v4.0.

Important exam information summarized:

• 25 multiple-choice questions
• Open book
• Available via the Portal after you complete the transition training
• 60 minutes long
• 75% or higher score to pass

Once the training is available, you will receive an email with instructions on how to access the training and take the exam.”

Best of luck to everyone on passing this new QSA requirement.

UPDATE: I passed the PCI DSS v4 Transition Training on July 17. A lot of material in the presentations but it is good stuff and I found it very informative. I still have questions about how the tables in section 6 of the ROC work and have asked for additional clarifications. My biggest concern is avoiding the debacle a lot of QSACs went through when we all went through the first AQM process and most ended up in remediation.

PCI DSS v4 Global Symposium Is Now Available

The PCI SSC has published the PCI DSS v4 Global Symposium for all QSAs, ASVs and Participating Organizations (PO).

To virtually attend this pre-recorded set of presentations you can go here. The Symposium dropped on Tuesday, June 21, and is available through Tuesday, August 30, 2022.

The Agenda for this Symposium includes:

• Welcome Remarks
• PCI DSS v4.0 Highlights
• Requirements: What’s New And Exciting
• Flexibility For Implementing Security Controls (likely all about the new Customized Approach)
• The New Approach To Reporting (explanation of how the new ROC template works?)
• A Look Into Self Assessments
• Preparing To Move To 4.0
• PCI DSS v4.0 Educational Resources
• Closing Remarks

I have yet to attend this almost 3 hour symposium, but I am guessing, based on the topics, that some of this is a rehash of what we have already been provided. However, there does appear to be some new material, so it still should be informative and interesting.

Join Me This Tuesday, June 21

I will be speaking on the subject of PCI DSS v4 at 1145AM ET.

You can register for this great event from the ISACA Toronto Chapter here.

I look forward to interacting with you at this virtual event.

The SAQs Have Been Published

Just a quick post to let everyone know that the PCI SSC has published the version 4 Self-Assessment Questionnaires (SAQs). You can get them under the Documents Library and select SAQS.

The Gag Is Coming Off!

Coming Thursday, April 28, to an internet connection near you!

The PCI Dream Team of Ben Rothke, Art “Coop” Cooper, David Mundhenk and the PCI Guru himself will finally be able to openly discuss PCI DSS v4 – warts and all!

So, bring your questions and concerns to this open discussion of v4. As always, if you cannot attend the live session, you can submit your questions to pcidreamteam AT gmail DOT com.

Register here for this session.

We look forward to “seeing” everyone there.

PCI DSS v4 First Blush Comments

All I can say is Wow!  WOW! 

There is a LOT of “busy work” in this version. 

For any QSA that does not have access to some form of tool for filling this bad boy out, heaven help you.  It seems that the Council has declared war on the QSACs and QSAs.  I would venture a guess that the number of hours required to fill out and ticking and tying things will be twice the amount of time a QSA spends on actually doing the assessment. 

Sadly, it is painfully obvious as to why this has happened. 

I am sure it is to get back at all of the “ROC Mills” out there (you know who you are) that conduct PCI assessments by essentially licking a finger, putting it in the air and sensing which way the wind is blowing, i.e., “you are compliant!” 

But sadder still are the poor merchants and service providers that are now collateral damage in this “war”.  I would not be surprised that, if after reviewing this Albatross of a standard, those merchants and service providers revolt.  That constituency is not going to pay for the overhead in this new version.  Even those that have done the correct thing and minimized their scope are going to get screwed over because of all of the “busy work” required to even complete their assessments. 

If the Council wanted to find a way to put themselves out of business, I think they have found that in v4. 

I thought I was only joking in my April Fool’s Day post about “Miserable Edition”.  But I was apparently spot on.  I cannot wait to attend training on this abomination to understand their justification for making a PCI assessment even more miserable than it already was.