What Is The Secret?

If you are a P2PE-QSA, you have likely seen the documentation required to do a Non-Listed Encryption Solution Assessment (NESA).  While the P2PE assessment work program (on which the NESA is based) is available to everyone, apparently the Council feels that only P2PE-QSAs have a right to see the new NESA documentation.


My assumption about this secrecy is that the Council is restricting access to the NESA documentation to stop any QSAs that are not P2PE-QSAs from conducting their own NESAs.

But what does that do to the rest of us that are not so fortunate?  How will the rest of the QSA/ISA community know that what they are receiving as the NESA is in fact what they should be receiving if they have never seen it and the Council has chosen to not do training?

People already complain that the Council makes statements at the Community Meetings that are never communicated to the wider PCI community that are unable to attend.  So here we are with a process that produces one or more documents (who knows unless you are a P2PE-QSA).  Yet, as a QSA/ISA, we have no idea what it looks like and have no guidance as to what we should look for in these documents to ensure that the NESA was done properly.  We could end up with anything with a PCI SSC logo on it labeled “NESA” and have no idea whether it is acceptable or not.

And if history is a guide, I guarantee you the Council will hold QSAs/ISAs responsible if they accept anything as a NESA even though they have provided no guidance.  That is what happened with the first AQM reviews.  None of the QSACs in that first round of AQM reviews had ever seen the standards by which they would be judged (they were still being developed).  But almost every QSAC went into remediation (there were a few “favorites” that dodged remediation) because they were all assessed to those standards even though the first time those standards were seen by those QSACs was at the start of their respective AQM assessment.

As QSAs/ISAs we have a right to not accept any documentation or attestations that we feel does not convey the information that we believe is necessary to prove compliance of a third party solution.  So I guess until the Council trains us in the new NESA process and what is acceptable and not acceptable, we do not have to accept any output from that process.

At least that is how I recommend QSAs/ISAs should treat the NESA documents until the Council decides to train us.


3 Responses to “What Is The Secret?”

  1. 1 Ron
    May 29, 2017 at 7:19 PM

    Even more concerning is the timeframe for NESA – this seems to be all over the map at the moment. The council has provided guidance and some QSA companies have taken this as “Requirements” and fail their clients because a NESA document cannot be produced. Other companies pass merchants with “semi-integrated” solutions because the acquirer says it is their product and therefore they are responsible. Seems to me that the council has opened up a can of worms again with this one.

    • June 4, 2017 at 9:49 AM

      The Council’s pat answer when things are not clear is to go to the banks/brands and get their formal approval. That is what we do for our customers.

  2. 3 amest01
    May 25, 2017 at 11:46 AM

    I voiced a compaint about their secrecy on the open mic years ago at a community meeting. I’m sure you were there. I called it a “secret society” where information was share with everyone but me on how I was going to be audited. At that time it was about new version 2 reporting requirements that my QSA said he couldn’t share with me, but was assessment me against. What ?!!!
    At the end of the day I kicked that QSA to the curb because he shouldn’t have been a QSA anyway and I got lip service from PCI SSC. There was no change for years. I’ve been receiving the assessor newsletter from “alternate sources.”
    Although I will say it has gotten a little better after Bob Russon retired because the PCI Monitor is regularly published and distributed via email.


Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

Welcome to the PCI Guru blog. The PCI Guru reserves the right to censor comments as they see fit. Sales people beware! This is not a place to push your goods and services.

May 2017

%d bloggers like this: