Another year has come and gone and so has another PCI Community Meeting. There were a number of interesting events at this year’s meeting. Some I will cover here and some I still have to digest and determine what they really mean.
Good Bye Bob
This year’s meeting is the last one for the PCI SSC’s current General Manager, Bob Russo. Over the years, Bob has been a good sport and has been a cowboy and other characters. This year’s community meeting was no exception. At Wednesday night’s networking event, Bob showed up as Gene Simmons’ brother decked out in silver colored platform boots, black tights, leopard spotted top, long black hair and doing his best to show off his tongue.
A lot of us over the years have pilloried Bob for various edicts and clarifications as he was the leader of the Council. However, if we step back, Bob got the PCI SSC off the ground and took on the thankless task of combining the disparate security standards of the five card brands and giving us the common set of standards we have today. As well as then asking us to do our best to ensure that those standards were followed.
Even though I have been critical at times of Bob, he has always been pleasant and cheerful to me and others at the community meetings and other events where he was present. Bob recognized that there are always some of us in the crowd that are very passionate about security and tried to assist us in channeling that passion.
Bob stated that he will be doing a “Goodbye Tour” to the other community meetings this year, so make sure to thank him for his efforts, shake his hand and say your goodbyes at whatever meeting you are able to attend.
P2PE v2
The first versions of P2PE were lambasted for being pointless and the number of solutions certified, now at six, has somewhat proven that the newest of the PCI standards needed some work. As a result, in November 2014 we will receive version 2 of the P2PE standard. According to people I spoke with at the meeting that have seen the new version, the new standard should be much better. Is it perfect, no. But it supposedly is a better version than the originals.
The most notable change to the standard is the approach the Council has taken. Based on the presentation made, they seem to abandoning the complete end to end model and are moving to a component approach based on how the solution will be implemented.
But the huge change to the standard is that a certified P2PE solution can be managed by a merchant without a third party. That is, merchants can manage the encryption keys.
It will be interesting to see just how much the standard has changed since its last iteration only a year ago. But most of all, it will be interesting to see how the new implementation approaches will work.
SAQs
The biggest clarification to come out of the community meeting on SAQs is the Council’s and card brands’ endorsement of using multiple SAQs for documenting compliance with the PCI standard versus doing an SAQ D.
This situation occurs when a merchant has multiple payment channels such as with merchants that have retail stores using traditional card terminals (SAQ B or B-IP) and an eCommerce presence that is outsourced (SAQ A or A-EP).
The other area of discussion that seemed to cause a bit of a stir was related to Web sites that use redirects or iFrames for payment processing. The reason for this contention is the result of claims from vendors of these sorts of payment solutions in the past that claimed that their solutions placed merchants out of scope for PCI as it related to their eCommerce operation.
Ever since the issuance of the eCommerce information supplement in January 2013 and with the recent issuance by Visa of their eCommerce guidance, the outsourcing world has been buzzing about the implications. Merchants of course have been going back to their eCommerce outsourcers and complaining about the fact that their eCommerce is no longer out of scope.
Reliance On Other’s Work
My final comment will be related to a question I asked at the Open Forum session on Wednesday. We have been getting push back from our larger clients on our limited use of their internal audit work, SSAE 16 reports, ISO 27K audits and similar work, if we used it at all. The driver is that clients want to minimize the amount of disruption to their personnel by all of the audits and assessments that are occurring these days. This prompted me to ask the question at the Open Forum as to the Council’s advice on reliance on other auditor’s work to reduce sampling.
The answer I received was, “No, absolutely not.” Quickly followed by, “Of course, I mean other auditors, not other QSAs and PA-QSAs.”
This blunt answer apparently shocked the audience as the people on stage reacted to that shock as well. The people onstage then backed off saying that the Council would have to take the issue back and discuss it.
After asking this question I was approached by a number of people thanking me for bringing up the topic. The bottom line is that organizations are audited and assessed out. Most feel like one audit/assessment ends and another one begins. But the truly annoying thing is that there are certain portions of all of these audits/assessment that cover the same ground over and over and over again such as with physical security, access controls and end user management. Handled properly, it would not eliminate all testing, but it would definitely reduce the amount of testing and also reduce sample sizes.
But a very telling comment came from a member of the American Institute of Certified Public Accountants (AICPA) who told me that the AICPA has repeatedly tried to meet with members of the PCI SSC to discuss the SSAE 16 standard and how it could be used to reduce a QSA’s work only to be rebuffed by the Council.
Organizations would be more willing to go through PCI assessments if work done by their internal auditors as well as outside auditors could be leveraged to simplify their lives, not complicate them. This will only become more important as the Council pushes organizations to adopt business as usual (BAU).
If I had one important take away for the Council to work on, it would be to work with other standards bodies such as the AICPA, ISO, FFIEC and the like and work toward providing guidance to organizations on how to use internal and external audit reports.
PCI Guru 
Is the statement that it is acceptable to utilize multiple SAQs you mention, covered at the Community Meeting, published somewhere formal by the PCISSC or the card brands? Other than requesting you to reach out to your Aquirer?
FAQ 1082 from the PCI SSC FAQ section does not reflect the Council’s latest thinking and says that a merchant should contact their bank to get approval for what they should do. Hopefully, they will update this FAQ.
Regardless, for example, if you wanted to use SAQ B-IP for brick and mortar and SAQ A for eCommerce, you would have to get that cleared by your acquiring bank. They would have to confirm that your organization meets the criteria for each SAQ and that they are willing to accept multiple SAQs.
When is the new P2PE standard supposed to come out?
At the Community Meeting they used November 2014, but were not specific on an actual date.
I missed the part about a merchant being able to use multiple SAQ’s. So, if i understand you correctly, the SSC now allows that?
Not so much that it is allowed as it is that it is now endorsed by the Council and the card brands. In the past, some acquiring banks would allow the approach, but they were few. Now with the Council and the brands stating it is acceptable, we’ll be able to avoid the SAQ D for most merchants with multiple payment channels.
I take your point on placing reliance on other auditors; companies certainly feel over-audited. At the same time I have some sympathy for the Council’s caution on this. It is a fact that PCI DSS is very granular and specific in its evidence requirements. If I accept as evidence work done by a third party that may not have ticked every PCI box then why should I as a QSA be required to tick those boxes if I do the work myself? On the other hand, if we require that the third party’s work is only acceptable if it does tick all the boxes then, in effect, we are saying that it doesn’t need a QSA to do the assessment. I can imagine many firms being eager to jump on that bandwagon!
I am not saying that QSAs just blindly accept work, the QSA will need to ensure that the other assessor/auditor did the work necessary. The QSA may also have to do some additional testing as well. However, my point is just how many audits/assessments need to look at a list of users, their last logon date and their last password change date before we can all be satisfied that an organization is managing users properly? I have clients whose internal auditors look at these things quarterly and do it at a level of detail 100 times more thorough than most QSAs, yet we cannot accept that as evidence? How about physical security? Does it take a specialist to assess video monitoring, review a visitor log and get a copy or review the automated access control system?
I am also not implying there are not specialty items that only a properly trained QSA can assess just like there are things that only a properly trained financial auditor can assess. There are specialties everywhere in the audit and assessment fields.
The Council needs to get off their high horse and admit that there are some of their tests that could be performed by any properly trained auditor/assessor and be relied upon by all other auditors/assessors to reduce the impact of the PCI assessment.