Another year has come and gone and so has another PCI Community Meeting. There were a number of interesting events at this year’s meeting. Some I will cover here and some I still have to digest and determine what they really mean.
Good Bye Bob
This year’s meeting is the last one for the PCI SSC’s current General Manager, Bob Russo. Over the years, Bob has been a good sport and has been a cowboy and other characters. This year’s community meeting was no exception. At Wednesday night’s networking event, Bob showed up as Gene Simmons’ brother decked out in silver colored platform boots, black tights, leopard spotted top, long black hair and doing his best to show off his tongue.
A lot of us over the years have pilloried Bob for various edicts and clarifications as he was the leader of the Council. However, if we step back, Bob got the PCI SSC off the ground and took on the thankless task of combining the disparate security standards of the five card brands and giving us the common set of standards we have today. As well as then asking us to do our best to ensure that those standards were followed.
Even though I have been critical at times of Bob, he has always been pleasant and cheerful to me and others at the community meetings and other events where he was present. Bob recognized that there are always some of us in the crowd that are very passionate about security and tried to assist us in channeling that passion.
Bob stated that he will be doing a “Goodbye Tour” to the other community meetings this year, so make sure to thank him for his efforts, shake his hand and say your goodbyes at whatever meeting you are able to attend.
The first versions of P2PE were lambasted for being pointless and the number of solutions certified, now at six, has somewhat proven that the newest of the PCI standards needed some work. As a result, in November 2014 we will receive version 2 of the P2PE standard. According to people I spoke with at the meeting that have seen the new version, the new standard should be much better. Is it perfect, no. But it supposedly is a better version than the originals.
The most notable change to the standard is the approach the Council has taken. Based on the presentation made, they seem to abandoning the complete end to end model and are moving to a component approach based on how the solution will be implemented.
But the huge change to the standard is that a certified P2PE solution can be managed by a merchant without a third party. That is, merchants can manage the encryption keys.
It will be interesting to see just how much the standard has changed since its last iteration only a year ago. But most of all, it will be interesting to see how the new implementation approaches will work.
The biggest clarification to come out of the community meeting on SAQs is the Council’s and card brands’ endorsement of using multiple SAQs for documenting compliance with the PCI standard versus doing an SAQ D.
This situation occurs when a merchant has multiple payment channels such as with merchants that have retail stores using traditional card terminals (SAQ B or B-IP) and an eCommerce presence that is outsourced (SAQ A or A-EP).
The other area of discussion that seemed to cause a bit of a stir was related to Web sites that use redirects or iFrames for payment processing. The reason for this contention is the result of claims from vendors of these sorts of payment solutions in the past that claimed that their solutions placed merchants out of scope for PCI as it related to their eCommerce operation.
Ever since the issuance of the eCommerce information supplement in January 2013 and with the recent issuance by Visa of their eCommerce guidance, the outsourcing world has been buzzing about the implications. Merchants of course have been going back to their eCommerce outsourcers and complaining about the fact that their eCommerce is no longer out of scope.
Reliance On Other’s Work
My final comment will be related to a question I asked at the Open Forum session on Wednesday. We have been getting push back from our larger clients on our limited use of their internal audit work, SSAE 16 reports, ISO 27K audits and similar work, if we used it at all. The driver is that clients want to minimize the amount of disruption to their personnel by all of the audits and assessments that are occurring these days. This prompted me to ask the question at the Open Forum as to the Council’s advice on reliance on other auditor’s work to reduce sampling.
The answer I received was, “No, absolutely not.” Quickly followed by, “Of course, I mean other auditors, not other QSAs and PA-QSAs.”
This blunt answer apparently shocked the audience as the people on stage reacted to that shock as well. The people onstage then backed off saying that the Council would have to take the issue back and discuss it.
After asking this question I was approached by a number of people thanking me for bringing up the topic. The bottom line is that organizations are audited and assessed out. Most feel like one audit/assessment ends and another one begins. But the truly annoying thing is that there are certain portions of all of these audits/assessment that cover the same ground over and over and over again such as with physical security, access controls and end user management. Handled properly, it would not eliminate all testing, but it would definitely reduce the amount of testing and also reduce sample sizes.
But a very telling comment came from a member of the American Institute of Certified Public Accountants (AICPA) who told me that the AICPA has repeatedly tried to meet with members of the PCI SSC to discuss the SSAE 16 standard and how it could be used to reduce a QSA’s work only to be rebuffed by the Council.
Organizations would be more willing to go through PCI assessments if work done by their internal auditors as well as outside auditors could be leveraged to simplify their lives, not complicate them. This will only become more important as the Council pushes organizations to adopt business as usual (BAU).
If I had one important take away for the Council to work on, it would be to work with other standards bodies such as the AICPA, ISO, FFIEC and the like and work toward providing guidance to organizations on how to use internal and external audit reports.