When A Client Refuses To Provide Evidence

As a QSA there are occasions when a client tells you that you cannot be allowed to have copies of evidence.  The most common occurrence is with firewall and intrusion detection/prevention configurations.  But there are odd instances as well for things like software development lifecycle documentation and information security policies where it makes no sense.

As a “recovering” penetration tester, I get some of these requests.  I once got into a financial institution because their network engineer wanted advice on their firewall configuration and posted the configuration on a forum for people to provide advice.  So, people are right to be concerned.  That said, qualified security assessor companies (QSAC) are required to provide a secured storage area for storing client evidence, so it’s not like evidence is stored just anywhere.

To be clear, a QSA is required to obtain evidence that supports their assessment of the PCI DSS requirements.  The reason is for the PCI SSC’s assessor quality management (AQM) process.  The Council has the right to review not only the redacted Report On Compliance (ROC) and Attestation Of Compliance (AOC), but also the evidence that supports the ROC.  This has always been the case under the AQM process, but it has only been recently that the Council has started exercising that right and reviewing samples of evidence.

Regardless of all of these precautions and requirements, there are still those times when a client refuses to provide copies of the evidence.  What is a QSA to do?

The Council has provided QSAs with an option when this situation happens, it sounds simple, but is not always as simple as it appears.

When a client refuses the QSA to leave with the necessary evidence, the QSA must then require the client to securely store the evidence reviewed for a maximum of three years and agree to make that evidence available if the Council pulls their ROC for review under the QSAC’s AQM.

The key to this solution is that they client must store exactly what the QSA reviewed for a period of three years.  In the case of a firewall configuration, the client needs to create a human readable file (i.e., text, PDF, screen shots, etc.) and then store that file securely either on their network, a CD/DVD or even a USB thumb drive.  A lot of clients create an encrypted archive for storing this information which is a very good idea.  I have heard of a few situations where the client misplaced the archive resulting in a finding against the QSAC for not being able to provide the evidence to the PCI SSC for review.

This evidence solution is likely outside of the original contract with the QSA.  As a result, the QSA will have to make an addendum to their original agreement to cover this situation.  Expect a bit of legal work to come up with getting such an agreement and getting the client to agree with it.

But suppose the client refuses the conditions of the addendum.  What then?

This is where the client’s acquiring bank comes into the picture.  A client’s acquiring bank is required to arbitrate such disputes between QSAs and their client.  Whatever the acquiring bank decides, the QSA needs to make sure that they get the decision in writing (e.g., email, letter, etc.) and put that decision in with the rest of their evidence.  A QSA should also write up a brief memo to provide the background of the situation so that anyone going back and reviewing the evidence understands what happened and therefore has some context as to why the bank issued their decision.

There you have it.  Another situation addressed.


6 Responses to “When A Client Refuses To Provide Evidence”

  1. 1 Mike
    July 15, 2019 at 10:09 AM

    I have a client that is being audited and their QSA is asking for evidence that was part of our PCI assessment. I have provided the AOC, but the QSA is insisting that I provide the evidence that was part of our assessment. My Chief Compliance Officer says the AOC is all they get as they are requesting configurations. What say you?

    • July 18, 2019 at 7:23 AM

      As a service provider, all you need to provide your customer is your Service Provider AOC. I would have to look at your AOC before I can fault the QSA in question. If everything is properly filled out, there is no reason to honor your customer’s QSA’s request.

      That said, I have encountered instances where a service provider is providing their Merchant AOC, not the Service Provider version. I have also seen QSAs mistakenly use the Merchant AOC form instead of the Service Provider version for service providers. I have also had instances where the Service Provider AOC is not properly filled out in that section 2g does not cover all services and/or the matrix is not complete. So there could be honest reasons for the QSA’s request. More investigation is required before you can get an answer.

  2. April 27, 2018 at 9:14 AM

    Yet another informative posting.

    To clarify, you are writing about then the client ‘shows’ you the evidence, but doesn’t want to give you a copy to store. Correct?

    • April 28, 2018 at 6:00 AM

      Correct. It is not unusual to encounter that issue. However, some of the documents a client wants to protect can be rather “odd” such as policies and standards.

  3. 5 Oz
    March 26, 2018 at 4:11 AM

    Maybe it’s just because I’m in the public sector, but our audit method has always been “No evidence, it didn’t happen.” For example, no evidence of firewalls rules is the same as not having a firewall in terms of the report findings.

    The mayor and directors would then get a report about the refusal to provide the evidence and then they would rain down fire and brimstone until whoever was refusing to help coughed up the goods. Usually, the threat of writing that in a report is enough to get them to co-operate though!

    • March 29, 2018 at 4:02 PM

      In the case of a PCI assessment, no evidence results in a “Not In Place” designation for the relevant tests which then results in a Non-Compliant assessment. Same result though from management.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

Welcome to the PCI Guru blog. The PCI Guru reserves the right to censor comments as they see fit. Sales people beware! This is not a place to push your goods and services.

March 2018

%d bloggers like this: