As a QSA there are occasions when a client tells you that you cannot be allowed to have copies of evidence. The most common occurrence is with firewall and intrusion detection/prevention configurations. But there are odd instances as well for things like software development lifecycle documentation and information security policies where it makes no sense.
As a “recovering” penetration tester, I get some of these requests. I once got into a financial institution because their network engineer wanted advice on their firewall configuration and posted the configuration on a forum for people to provide advice. So, people are right to be concerned. That said, qualified security assessor companies (QSAC) are required to provide a secured storage area for storing client evidence, so it’s not like evidence is stored just anywhere.
To be clear, a QSA is required to obtain evidence that supports their assessment of the PCI DSS requirements. The reason is for the PCI SSC’s assessor quality management (AQM) process. The Council has the right to review not only the redacted Report On Compliance (ROC) and Attestation Of Compliance (AOC), but also the evidence that supports the ROC. This has always been the case under the AQM process, but it has only been recently that the Council has started exercising that right and reviewing samples of evidence.
Regardless of all of these precautions and requirements, there are still those times when a client refuses to provide copies of the evidence. What is a QSA to do?
The Council has provided QSAs with an option when this situation happens, it sounds simple, but is not always as simple as it appears.
When a client refuses the QSA to leave with the necessary evidence, the QSA must then require the client to securely store the evidence reviewed for a maximum of three years and agree to make that evidence available if the Council pulls their ROC for review under the QSAC’s AQM.
The key to this solution is that they client must store exactly what the QSA reviewed for a period of three years. In the case of a firewall configuration, the client needs to create a human readable file (i.e., text, PDF, screen shots, etc.) and then store that file securely either on their network, a CD/DVD or even a USB thumb drive. A lot of clients create an encrypted archive for storing this information which is a very good idea. I have heard of a few situations where the client misplaced the archive resulting in a finding against the QSAC for not being able to provide the evidence to the PCI SSC for review.
This evidence solution is likely outside of the original contract with the QSA. As a result, the QSA will have to make an addendum to their original agreement to cover this situation. Expect a bit of legal work to come up with getting such an agreement and getting the client to agree with it.
But suppose the client refuses the conditions of the addendum. What then?
This is where the client’s acquiring bank comes into the picture. A client’s acquiring bank is required to arbitrate such disputes between QSAs and their client. Whatever the acquiring bank decides, the QSA needs to make sure that they get the decision in writing (e.g., email, letter, etc.) and put that decision in with the rest of their evidence. A QSA should also write up a brief memo to provide the background of the situation so that anyone going back and reviewing the evidence understands what happened and therefore has some context as to why the bank issued their decision.
There you have it. Another situation addressed.
PCI Guru 