March 2011 has been a busy month thus far for the PCI SSC. On Thursday, March 10, they announced a new ASV training program and on Friday, March 18, they released an Information Supplement on protecting telephone-based cardholder data.
The ASV training program has blindsided the ASV community as it was a total surprise. Yes, there has been talk over the years at the Community Meetings and in other venues regarding ASV qualifications and training, but nothing ever seemed to come from those discussions.
According to the press release, the ASV training program, “… is a direct response to the feedback we’ve received from the merchant community …” One can only assume that the complaints that have been voiced about ASVs from merchants and service providers as well as the comments in the media have finally caught the attention of the PCI SSC and they are going to address the problem with training.
The consistent complaint I have heard from clients over the years was in regards to the fact that no two ASVs ever scoped their network the same for vulnerability scanning. The next most common complaint was always about the different results of the vulnerability scanning which was most often voiced after a company changed ASVs. While there are always some bad apples in the bunch, I do believe that most ASVs know what they are doing.
As a result of all of this, I am sure this new training requirement is to address the complaints and make the program better. This training is in addition to the network security test ASV companies already had to pass. For those of you that did not know, ASVs have to conduct network security scanning against a test network with predefined vulnerabilities operated and configured by the PCI SSC. ASVs are expected to produce a sample ASV report and document all of the predefined vulnerabilities.
The ASV training is comprised of an eight hour online course and an examination. A minimum of two employees are required to take the course and pass the examination. Once this has been accomplished, the organization is designated as having Qualified ASV employees. As with a lot of PCI requirements, there are some important dates involved. ASVs that are renewing their status prior to June 1, 2011 need to get two personnel trained and passed the examination by June 15, 2011. ASVs that will certify after June 1, 2011 need to have two staff trained and passed the examination by their renewal date.
Given the additional cost of this new training plus the requirement to have a minimum of two people trained, it will be interesting to see if any of the existing 130 ASVs drop out because of this new requirement.
Telephony Cardholder Data
The other issuance of interest this month was in regards to telephone conversation recordings that contain cardholder data. While this is a longer dissertation on FAQ 5362, there is really nothing new presented in this information supplement. The bottom line still is that if you have call recordings that contain cardholder data you are required to either; (a) do not record it in the first place, (b) if recorded, redact it if possible, or (c) make sure that it cannot be searched, is encrypted and access is restricted. The best thing about this information supplement is the flowchart that was created for this situation.
PCI Guru 