Author Archive for PCI Guru

10
Nov
21

PCI Dream Team Holiday Event

On Wednesday, December 8, at 1PM ET/1800 UTC the PCI Dream Team will host its first ever holiday event as our “gift” to the PCI community.

To join us at our first holiday event, you can register here.

As with all of our sessions, please be prepared with your hardest PCI questions and concerns to stump the Dream Team. If you are unable to attend, you can always submit questions to pcidreamteam AT gmail DOT com and then review the recording of the session at TrustedSec.

So, hang the Mistletoe and let the Eggnog flow.

Happy holidays from the Dream Team (Ben, Coop, David and Jeff) and we look forward to “seeing” you at this holiday session.

24
Oct
21

Remote PCI Assessment Guidance Issued

At the end of September 2021, the PCI Council released a Guidelines and Procedures document on conducting Remote Assessments for PCI and card brand assessments.  Most of this document is a rehash of previous Council statements and guidance.  However, there is one new element in this document that all QSAs will need to read and comply with and that is the requirement of documenting a feasibility analysis to justify conducting a remote assessment.

Some of the examples the Council gives as valid reasons that an on-site assessment may not be feasible includes:

  • Restrictions on the ability to travel or meet in person due to health and safety concerns or government advisories.  We are all familiar with the COVID-19 pandemic and its impact on travel, particularly international travel.  However, I encountered this a while back due to a volcanic eruption in Iceland that cancelled my trip to Europe.  Since we had no way of knowing how long the eruption would cause travel disruptions and we were on a tight timeline, we conducted video conferences rather than travel.
  • Geographic locations that are physically inaccessible or difficult to reach.  I personally ran into this situation one several years ago when a data center in Europe that was supposed to be decommissioned before the next assessment remained operational.  The company I worked for had shut down their EU operations and there was no way to justify 16 hours of flight time for a two-hour data center walk through.  We held meetings with the data center operator via video conference and did a virtual walk through.
  • Testing required at a location is limited to documentation and interviews and no observations of processes, systems or physical environment apply.
  • The entity operates a virtual environment without physical premises or facilities.  This has become more and more common with entities that operate in The Cloud.  Why rent expensive office space when there is not need for it?  This situation only got more prevalent with the pandemic and will likely only increase in the future.

As the Council states in their guidance,

“For many assessments, a combination of onsite and remote testing may provide a suitable balance, as it allows for increased efficiencies in the assessment process while enabling an appropriate level of assurance to be achieved in the assessment result.  For example, documentation reviews can often be performed remotely without significant loss of assurance, whereas observations of processes and environmental characteristics will generally require an onsite review.”

Regardless of whether the assessment fits into one of the bullets above, the Council wants QSAs to formally document their analyses of why the onsite assessment cannot be performed and the risks that may present to meeting the assessment objectives.  This analysis needs to be completed prior to starting any testing and is supposed to be a joint effort between the assessor and the client.

Topics that the Council recommends be addressed include, but are not limited to:

  • Confidentiality, security, and data protection requirements.
  • Availability and effectiveness of the remote assessment technologies.
  • Effects on entity’s personnel.
  • Effects on operation support.
  • Assessment scope and completeness.
  • Quality and reliability of digital evidence.

The Council further states:

“During the analysis, the entity and assessor should identify any challenges and potential risks associated with the remote testing and determine whether it is feasible for testing to be thoroughly completed to produce a high level of confidence in the assessment results.

The results of the feasibility analysis—including the risks and challenges associated with use of the remote testing methods, and any mitigating controls for overcoming the risks and challenges—should be documented and agreed upon by both the entity and assessor. A copy of the feasibility analysis results should be included with the applicable ROC/ROV. Entities and assessors may be required to produce the analysis upon request by the PCI SSC or applicable compliance-accepting entity.

The key points from that statement above is that: (1) the feasibility analysis needs to be submitted with the ROC/ROV and, (2) if requested by the PCI SSC or compliance accepting entity (i.e., Brand or bank), the QSA is required to produce the analysis.  As a result, this is a non-optional exercise.

The feasibility analyses must document that:

  • The assessment is feasible to be fully completed at this time using onsite methods, remote methods, or a combination of onsite and remote methods.
  • The assessment is only feasible to be partially completed at this time.
  • The assessment is not feasible currently.

According to the guidance, it is only those assessments that are completely feasible that can be conducted.

The Council includes a very important note regarding the analyses.

“The feasibility analysis determines whether the use of remote testing methods is feasible for a particular assessment.  Determining that a remote testing method is feasible does not guarantee that use of the testing method will produce the level of assurance needed for the assessor to reach a finding; this will depend on how the remote testing method is implemented and used, whether the testing can be completed for all applicable components and areas, and whether sufficient evidence is provided for the assessor to make a determination.  Assessors and entities should continue to monitor and evaluate the effectiveness of the remote testing methods throughout the assessment to confirm whether the testing methods are performing as intended and whether additional testing may be needed.”

This concept of “assurance” appears to all be in the eye of the beholder.  Meaning, if the Council, Brands or Banks determine, in their opinion, that the remote methods are not providing appropriate levels of assurance, the ROC/ROV can be rejected.  Not that a lot of banks are going to reject ROCs/ROVs on this, but I can see the Council’s AQM reviews and Card Brands rejecting ROCs/ROVs on analyses that they deem flawed or incomplete.  The AQM process is the most concerning because a QSAC could end up in remediation due to a failure to appropriately document the remote assessment feasibility.

As with most edicts issued by the Council, they should have produced a form for this feasibility analysis so that everyone understands what is required from these feasibility analyses.  Can the feasibility analysis be documented in section 1.2 of the reporting template or is a separate document required?  I would recommend this for the obvious remote assessments of COVID and everything in The Cloud.  I would recommend a separate document for feasibility analyses that are longer in discussion.

Sadly, I foresee a lot of confusion and heartache in the QSAC community as we move through this new requirement.  That is because I see a lot of assessments that are blocked due to COVID travel restrictions or the assessed entity having no physical offices being rejected for “flawed” feasibility analyses when it should just be allowed with no further documentation or discussion.

It will take time to see how this shakes out.

UPDATE 11/29/2021 – I received a comment on this post (see below) and the confusion is beginning. A service provider has had one of their customers request the documentation regarding what is provided in Appendix A of the remote assessment guidance document as well as the remote assessment feasibility study. Since these are ROC documents, there is no requirement from the Council that requires any organization to turn over their ROC to any third party other than their acquiring bank or the card brands. The AOC is the communication document to third parties. If an organization wishes to turn over Appendix A from the guidance, that is the organization’s decision, but it is NOT mandatory nor it is required by the Council.

17
Sep
21

2021 Government IT Symposium

I am honored to have been granted the privilege to speak at the 2021 Government IT Symposium this coming November.

I will be speaking (virtually) on Tuesday, November 16, at 145PM CT/1945 UTC.  My presentation is titled ‘PCI Compliance – Yes, That Includes Governments’.  The reason for my session is that while the PCI DSS has been around for over 15 years, government entities still question how it applies to them and why.  In my years doing assessments for government entities, I have found there are a number of unique situations that complicate their assessments.  In my session I will cover the basics of the PCI DSS and provide a walk through of the potential traps that tend to trip up government entities.

If you want to register for this symposium, go here to register.

I look forward to seeing you there.

27
Aug
21

So Much For “Live” In October

We have been notified that the (ISC)2 Security Congress in October will now be virtual.

We would still like to virtually meet with all of you anyway. See this post for where to register and how to submit questions for our session that will still go on virtually.

23
Aug
21

Killer Community Meeting This Fall

The PCI Council has announced the schedule for this Fall’s Global Community Meeting and it will be a killer.

Tuesday, October 26, will be held on Central European Standard Time (UTC+2) and starts at 9AM. For all of us in the Continental United States, that means it will start anywhere between Midnight Tuesday to 3AM. For those in Asia, that will fall from lunchtime to early evening. The “day” will end in the US at 11AM Eastern, 8AM Pacific.

Wednesday, October 27, is on Japan Standard Time (UTC+9) and again starts at 9AM. For those in Europe, that will be around Noon to 2PM. But for those of us in the Continental United States, we will still be on Tuesday and will start at 8PM Eastern, 5PM Pacific. The “day” will end in the US at 3AM Eastern, Midnight Pacific. A very long day for a lot of us in the US.

The final day, Thursday, will be held on Eastern Daylight Time (UTC+4) and will start at 9AM. So we get almost a day and a half before the final sessions. For people in Europe, this “day” will start at 3PM and end around 10PM. For those in Asia, the “day” will start mid to late evening on Thursday and not finish until early Friday morning.

This will be a very interesting Community Meeting. I look forward to “seeing” you all there.

Enjoy the sleep deprivation. 😉

31
Jul
21

PCI Dream Team LIVE! Is Coming In October

The PCI Dream Team will be appearing LIVE at the (ISC)2 Security Congress in Orlando this Fall, Monday, October 18 through Wednesday, October 20, 2021.   Our session is scheduled for Tuesday, October 19, at 11:45 AM ET/ 1545 UTC.

While we will be live at the conference, you can also attend the conference and our session virtually.  So other than training budget limitations, there is no other good reason you cannot join us.

As usual, we will be taking questions live and via email at pcidreamteam AT gmail DOT com.  We also monitor Twitter if you use #pcidreamteam.

We are expecting our usual lively discussion of all topics PCI and other security standards if time allows.

We really are looking forward to physically seeing people at the conference.

14
Jun
21

Last PCI DSS v4 Request For Comments Period

According to an email I received today, the draft validation documents (I am assuming that means the ROC Reporting Template and AOC) will be released on Monday, June 28, on the PCI Portal for QSAs, ISAs and POs to review and comment.

The comment period will be open for 30 days from that date.

Make sure you get your copy, review the documents and generate comments as this is your chance to have input on the PCI DSS.

11
Jun
21

Same Dream Team, New Venue

After years on BrightTalk, the PCI Dream Team is relocating to a new venue due to changes in BrightTalk’s revenue model (i.e., you need to pay to be on BrightTalk).

Thanks to Dream Team member Arthur “Coop” Cooper and his employer, TrustedSec, we will now be broadcasting through TrustedSec’s GoToMeeting instance.

Which brings us to the fact that the PCI Dream Team will be live online on Wednesday, June 23, at 1PM ET/ 1700 UTC. If you would like to attend this live event, you can register here. As usual, this will be an interactive event with attendees providing the questions to the Dream Team to answer.

We expect to have a lively discussion after the PCI SSC’s QSA event on June 15 for an hour and a half. Still no clue as to what is going to be discussed at this QSA session, but if it is going to take an hour and a half it must be good.

As usual, we will also be accepting questions at pcidreamteam AT gmail DOT com. So if you cannot attend the live event or have questions that are just bugging you, you can submit them to that email account so that we have them for this session.

And as a reminder, no questions are off limits EXCEPT those regarding PCI DSS v4 (thank you NDA).

We look forward to seeing you at our new online home.

02
May
21

April 2021 Assessor Newsletter

A couple of interesting items in this month’s Assessor Newsletter that came out on April 30.

All Assessor Webcast

The first thing is the June 15 All Assessor Webcast that will be held at 1430 UTC and will be an hour and a half long. I reached out to some contacts I have and they are all mum as to what could possibly take an hour and half to discuss. Given that the final RFC of PCI DSS v4 might be out by then, it could be there will be a discussion of that document. Regardless, I would recommend everyone sign up to attend this session.

QSA v4 Training

Another little interesting tidbit was in the QSA Program Changes. I do not recall hearing about this in the past, so that is why I found it interesting.

“QSAs can only perform assessments using versions of the standard for which they have received PCI SSC training:

– This requirement only applies to major releases of the standard, it does not apply to minor revisions.

– Once a QSA completes the PCI DSS v4 Transitional Training, an indicator will be added to the QSA Assessor listing on the Website.”

From what I can gather, what this means is that until a QSA has attended the PCI DSS v4 Transitional Training, a QSA will not be able to conduct a PCI assessment using the v4 template. As a result, I am guessing that attendance at these training sessions will be at a premium as QSAs will want to attend them as soon as possible. Hopefully these will be online sessions so that getting into them early are not as big an issue as would be for in-person training.

QSAC QA Questionnaire

For those QSACs that have been looking for the annual QA Questionnaire, it was released on March 24 and is posted on the PCI Portal under the Resources Center. So make sure you download it and go through it as soon as you can.

FAQ of the Month

The final tidbit is regarding this month’s FAQ #1325 entitled ‘Does PCI SSC provide a “PCI DSS Compliant” logo?’.

“PCI SSC does not issue an official PCI seal, mark or logo that companies can use when they achieve PCI DSS compliance. Please note that the PCI logo is a registered trademark and may not be used without authorization. You may not use the marks PCI Compliant, PCI Certified, PCI DSS Compliant, PCI DSS Certified or PCI with check marks or any other mark or logo that suggests or implies compliance or conformance with our standards. If your company is a member of one of PCI SSC’s programs, i.e. PO, QSA, ASV, ISA, or QIR, please contact your Program Manager who can provide a program logo that can be used for members of that program only. Note that authorized use of an applicable PCI logo by a program member is not an indication of that organization’s PCI compliance status or an endorsement by PCI SSC.

April
Article Number 1325″

This ranks up there with FAQ #1220 on the subject of PCI compliance certificates and the fact that they are worthless. Why these continue to be allowed to go on, I do not understand. I suppose until the Council begins putting QSACs in remediation for these incidents, they will continue.

Just thought these topics were worth sharing in case you missed the latest newsletter.

21
Apr
21

No 2021 Community Meetings

So much for getting together this year for a PCI Community Meeting anywhere in the world.  The Council sent out an email on Wednesday, April 21, that explains what will replace those events.

“PCI SSC is excited to announce the most important global online event for the payment card industry. New this year, the PCI SSC Global Community Forum will bring together industry experts from all over the world to share the latest in information security, update you on changes to PCI standards and programs as well as provide opportunities to network with peers. The PCI SSC Global Community Forum will take place online from Tuesday, 26 October – Thursday, 28 October.
This global online event held over the course of three days will include all the things you expect from PCI SSC events – important Council updates, regional insights, opportunities for feedback, networking, and fun engagement activities. Given the uncertainty of travel and international border restrictions, the Council has made the decision to offer this online event with dedicated days for each region presented in local time zones and cancel its 2021 in-person Community Meetings in North America, Europe, and Asia-Pacific.
Global Community Forum speaking submissions are still being accepted through Friday, 23 April at 11:59 PM EDT.”

Hopefully we will all get together in person sometime in the future.




December 2021
M T W T F S S
 12345
6789101112
13141516171819
20212223242526
2728293031  

Months