Let us try this again, shall we?
I heard recently about a new PCI acronym – NEIR – from a variety of people. It seems to be that being the PCI Guru, everyone just assumes that I knew what NEIR was about. I was totally stumped. I had no idea what it stood for and various internet search engines were worthless, so I contacted people in my network to get educated.
After a number of communications with a variety of contacts, I was able to find out that this acronym is a new service offering from one of the larger QSACs in the United States. NEIR it turns out stands for Non-listed Encryption Implementation Review. According to the people I communicated, this review results in a Report of Functionality (ROF).
After posting the original post, I was contacted by the QSAC regarding issues with that original post. After a number of email exchanges, we realized where we needed clarifications, where there was confusion, and what needed to be corrected. Based on what I was told by the people I communicated and what the QSAC explained, there is obviously a lot of confusion regarding NEIR. The QSAC is going back to clarify a few items on their side and I rewrote this post to reflect my new understanding of NEIR.
The first piece of confusion was that NEIR was created by the PCI SSC. It was not, it was created by the QSAC who then ran it past some people at the Council to make sure they were not doing something wrong. Why my sources at the Council did not remember it is likely because it did not go against any practices expected by the Council and therefore was forgettable in their minds. However, in using the word “vetted” in the QSAC’s description of NEIR, it seems to have created an impression with some people that NEIR was somehow officially approved by the Council which was not accurate. The QSAC is addressing that issue going forward.
The second piece of confusion was that NEIR is mandated for PCI compliance. Where this confusion I am sure comes from is based on what NEIR addresses. NEIR is a process to assess the implementation of an end-to-end encryption (E2EE) payment solution that has not gone through the P2PE validation process for scope reduction.
As a reminder, if a merchant has an E2EE solution and thus desires P2PE scope reduction for their assessment, then the implementation of that E2EE solution must be performed to ensure it actually protects the payment information and reduces scope. The results are then shared with the merchant’s processor/bank and the processor/bank must give written approval to the QSA for P2PE scope reduction.
That assessment process is mandatory if a merchant expects P2PE scope reduction. Every QSA that encounters an E2EE solution must go through this sort of assessment process and then gets explicit approval for P2PE scope reduction from the merchant’s processors and/or banks. If not performed, then P2PE scope reduction is not allowed for the assessment.
With NEIR, the QSAC has codified that E2EE assessment process for consistency resulting in the ROF for the processor/bank to review and formally approve the scope reduction. I posted about this sort of process a while back which the QSAC’s representative referenced in our communications.
However, as it unfortunately happens with these sorts of things, communications get bolloxed up and what prospects are told versus what they understand is not one and the same. This is what I heard all about as I tried to figure out what was going on. People were inconsistent in what NEIR was about and how it worked and since I did not get any materials from those people due to NDAs, I could not confirm or deny what they were saying was accurate. The only consistency was that it was required for PCI compliance and that it was the Council that required it. It took discussions with the QSAC to get to the bottom of all of this and clarify the situation.
So, there you have it. Now you know about NEIR. So, if you encounter it, you know what you are dealing with and what it addresses. Nothing new, just one QSAC’s take on a process to assess E2EE payment solutions for P2PE scope reduction.
PCI Guru 
“NEIR” is problematic. If a QSAC wants to say “we have a structured process for reviewing your solution to make assessments as to the reduction of applicable PCI DSS controls in lieu of P2PE” then fine. But don’t tell your customers they need to fill out this NEIR for PCI compliance and leave the industry feeling that it is being passed off as a PCI program.
BTW, if you haven’t guessed, PCI’s P2PE program is a “kitchen sink” approach entirely opposite of the incremental approach other PCI programs follow. If you don’t do it all, you get nothing. The costs are higher than the benefits. no wonder things like custom evaluation programs from QSAC’s are cropping up.
Speaking to the choir my friend.
You’re mixing up some things here. NESA is not an approved anything. It’s a methodology that the SSC came up with to provide a means for vendors that sell legacy end to end encryption solutions to get a gap analysis done, and provide the results to their customers in a standardized form so that the customers and their QSAs can figure out how to approach the system.
Part of that is determining whether the merchant has implemented the solution in such a way as to support scope reduction. For an actual P2PE Solution, that’s easy. For one that’s not listed, it’s hard. You need to have a P2PE-QSA evaluate what the solution is doing in the merchant environment. If there is an application on the POI device that has access to account data, for example, if it does whitelisting, then you might need a PA-QSA (P2PE) to evaluate that too.
The reality is that many non-listed encryption solutions aren’t listed because they don’t meet P2PE requirements. What some QSACs call “NEIR” is just a way of calling out the effort required to verify the customer’s claims of scope reduction from a non listed encryption solution.
When you think about it, it’s not really any different than using any service provider. Either the service provider is assessed as part of your assessment, or they go under their own assessment and provide an attestation of compliance. It’s the same thing with encryption solutions. Either the Solution Provider goes through a P2PE Solution assessment and gets listed, or, the solution implementation gets assessed as part of every customers’ assessment.
Better, in my opinion, for the merchant to use a real P2PE solution, which is proven and guaranteed, than to rely upon a nonlisted solution, where the merchant bears the risk.
There are a lot of factual errors in the article, if you want to have a conversation about what NEIR is, then please contact me. I wrote the NEIR program, and vetted it with the PCI SSC.
A quick Google search and I am not surprised by the company name that came up associated with NEIR.
This just proves it again, don’t believe anything anyone says, even if your QSA. If something sounds fishy, go do some of your own research. Use your network.