Let us try this again, shall we?
I heard recently about a new PCI acronym – NEIR – from a variety of people. It seems to be that being the PCI Guru, everyone just assumes that I knew what NEIR was about. I was totally stumped. I had no idea what it stood for and various internet search engines were worthless, so I contacted people in my network to get educated.
After a number of communications with a variety of contacts, I was able to find out that this acronym is a new service offering from one of the larger QSACs in the United States. NEIR it turns out stands for Non-listed Encryption Implementation Review. According to the people I communicated, this review results in a Report of Functionality (ROF).
After posting the original post, I was contacted by the QSAC regarding issues with that original post. After a number of email exchanges, we realized where we needed clarifications, where there was confusion, and what needed to be corrected. Based on what I was told by the people I communicated and what the QSAC explained, there is obviously a lot of confusion regarding NEIR. The QSAC is going back to clarify a few items on their side and I rewrote this post to reflect my new understanding of NEIR.
The first piece of confusion was that NEIR was created by the PCI SSC. It was not, it was created by the QSAC who then ran it past some people at the Council to make sure they were not doing something wrong. Why my sources at the Council did not remember it is likely because it did not go against any practices expected by the Council and therefore was forgettable in their minds. However, in using the word “vetted” in the QSAC’s description of NEIR, it seems to have created an impression with some people that NEIR was somehow officially approved by the Council which was not accurate. The QSAC is addressing that issue going forward.
The second piece of confusion was that NEIR is mandated for PCI compliance. Where this confusion I am sure comes from is based on what NEIR addresses. NEIR is a process to assess the implementation of an end-to-end encryption (E2EE) payment solution that has not gone through the P2PE validation process for scope reduction.
As a reminder, if a merchant has an E2EE solution and thus desires P2PE scope reduction for their assessment, then the implementation of that E2EE solution must be performed to ensure it actually protects the payment information and reduces scope. The results are then shared with the merchant’s processor/bank and the processor/bank must give written approval to the QSA for P2PE scope reduction.
That assessment process is mandatory if a merchant expects P2PE scope reduction. Every QSA that encounters an E2EE solution must go through this sort of assessment process and then gets explicit approval for P2PE scope reduction from the merchant’s processors and/or banks. If not performed, then P2PE scope reduction is not allowed for the assessment.
With NEIR, the QSAC has codified that E2EE assessment process for consistency resulting in the ROF for the processor/bank to review and formally approve the scope reduction. I posted about this sort of process a while back which the QSAC’s representative referenced in our communications.
However, as it unfortunately happens with these sorts of things, communications get bolloxed up and what prospects are told versus what they understand is not one and the same. This is what I heard all about as I tried to figure out what was going on. People were inconsistent in what NEIR was about and how it worked and since I did not get any materials from those people due to NDAs, I could not confirm or deny what they were saying was accurate. The only consistency was that it was required for PCI compliance and that it was the Council that required it. It took discussions with the QSAC to get to the bottom of all of this and clarify the situation.
So, there you have it. Now you know about NEIR. So, if you encounter it, you know what you are dealing with and what it addresses. Nothing new, just one QSAC’s take on a process to assess E2EE payment solutions for P2PE scope reduction.
PCI Guru 