Archive for the 'PCI SSC' Category

22
Jun
22

PCI DSS v4 Global Symposium Is Now Available

The PCI SSC has published the PCI DSS v4 Global Symposium for all QSAs, ASVs and Participating Organizations (PO).

To virtually attend this pre-recorded set of presentations you can go here. The Symposium dropped on Tuesday, June 21, and is available through Tuesday, August 30, 2022.

The Agenda for this Symposium includes:

  • Welcome Remarks
  • PCI DSS v4.0 Highlights
  • Requirements: What’s New And Exciting
  • Flexibility For Implementing Security Controls (likely all about the new Customized Approach)
  • The New Approach To Reporting (explanation of how the new ROC template works?)
  • A Look Into Self Assessments
  • Preparing To Move To 4.0
  • PCI DSS v4.0 Educational Resources
  • Closing Remarks

I have yet to attend this almost 3 hour symposium, but I am guessing, based on the topics, that some of this is a rehash of what we have already been provided. However, there does appear to be some new material, so it still should be informative and interesting.

20
Apr
22

The Gag Is Coming Off!

Coming Thursday, April 28, to an internet connection near you!

The PCI Dream Team of Ben Rothke, Art “Coop” Cooper, David Mundhenk and the PCI Guru himself will finally be able to openly discuss PCI DSS v4 – warts and all!

So, bring your questions and concerns to this open discussion of v4. As always, if you cannot attend the live session, you can submit your questions to pcidreamteam AT gmail DOT com.

Register here for this session.

We look forward to “seeing” everyone there.

03
Apr
22

PCI DSS v4 First Blush Comments

All I can say is Wow!  WOW! 

There is a LOT of “busy work” in this version. 

For any QSA that does not have access to some form of tool for filling this bad boy out, heaven help you.  It seems that the Council has declared war on the QSACs and QSAs.  I would venture a guess that the number of hours required to fill out and ticking and tying things will be twice the amount of time a QSA spends on actually doing the assessment. 

Sadly, it is painfully obvious as to why this has happened. 

I am sure it is to get back at all of the “ROC Mills” out there (you know who you are) that conduct PCI assessments by essentially licking a finger, putting it in the air and sensing which way the wind is blowing, i.e., “you are compliant!” 

But sadder still are the poor merchants and service providers that are now collateral damage in this “war”.  I would not be surprised that, if after reviewing this Albatross of a standard, those merchants and service providers revolt.  That constituency is not going to pay for the overhead in this new version.  Even those that have done the correct thing and minimized their scope are going to get screwed over because of all of the “busy work” required to even complete their assessments. 

If the Council wanted to find a way to put themselves out of business, I think they have found that in v4. 

I thought I was only joking in my April Fool’s Day post about “Miserable Edition”.  But I was apparently spot on.  I cannot wait to attend training on this abomination to understand their justification for making a PCI assessment even more miserable than it already was. 

31
Mar
22

The PCI Council’s Bold Move

The long wait is over and PCI DSS v4 has finally been released!

In a very bold move, the Council has taken a page out of the Microsoft playbook.  Instead of being called “PCI DSS v4” the Council has chosen the name “PCI DSS Miserable Edition” or PCI DSS ME.

Council Communications Director, April Fool, said that, “Everyone was getting tired of the numeric increase, so with the consent of the card brands we decided to change things up a bit with this release.  Based on the feedback we have gotten from the Participating Organizations, QSAs and other stakeholders, this new designation seemed to be appropriate.”

I am sure we all remember how well Windows ME worked out and that set the bar pretty low.  PCI DSS ME can only be a step up.

Have a great day and do not get taken in by any calls from Mr. Bear or Mrs. Cougar.

21
Jan
22

The Final Draft Of PCI DSS v4 Is Available

The wait is over for participating organizations, QSACs and ASVs. The PCI SSC announced this morning that the final draft of PCI DSS v4 is available to the primary contacts of those organization via the PCI Portal. The Council reiterated that the public release of PCI DSS v4 will be by the end of March 2022.

I guess I know where my weekend will be spent provided my primary contact downloads it today for me.

UPDATE: We really need to see the Report On Compliance (ROC) Reporting Template. There is some interesting stuff in the draft, but without the Reporting Template it is very hard to judge the impact the new version will have on assessments.

02
Jan
22

PCI DSS v4

I wrote this for my new employer’s, Truvantis, blog so I figured why not point you to it here. Just my thoughts on the subject and all of you are concerned about: what is in the new coming release of the PCI DSS?

https://www.truvantis.com/blog/pci-dss-v4-2022-how-to-be-prepared

Enjoy!

19
Dec
21

Updated PAN Truncation FAQ

As part of the holiday giving tradition, the PCI SSC has given us an updated FAQ (#1091) on the subject of PAN truncation and it will likely go down as the most confusing FAQ ever.

The FAQ starts out simple enough with the statement:

“A maximum of the first 6 and last 4 digits of the PAN is the starting baseline for entities to retain after truncation, considering the business needs and purposes for which the PAN is used.”

But it is the table that follows that gets messy.

It seems that each of the card brands has their own take on PAN truncation based on PAN length and other factors. Only American Express has stayed the course.

Based on the guidance for UnionPay, Visa, Mastercard, JCB and Discover, the idea of first six/eight and ANY OTHER four is a bit bizarre not to mention risky.

Never mind the obvious warning note at the end of the FAQ that states:

“Access to different truncation formats of the same PAN greatly increases the ability to reconstruct full PAN, and the security value provided by an individual truncated PAN is significantly reduced. If the same PAN is truncated using more than one truncation format (for example, different truncation formats are used on different systems), additional controls should be in place to ensure that the truncated versions cannot be correlated to reconstruct additional digits of the original PAN.”

Personally, I would stick with the good old first six, last four and avoid any of these other formats as you are likely setting yourself up for problems and PCI non-compliance.

Happy holidays to all!

24
Oct
21

Remote PCI Assessment Guidance Issued

At the end of September 2021, the PCI Council released a Guidelines and Procedures document on conducting Remote Assessments for PCI and card brand assessments.  Most of this document is a rehash of previous Council statements and guidance.  However, there is one new element in this document that all QSAs will need to read and comply with and that is the requirement of documenting a feasibility analysis to justify conducting a remote assessment.

Some of the examples the Council gives as valid reasons that an on-site assessment may not be feasible includes:

  • Restrictions on the ability to travel or meet in person due to health and safety concerns or government advisories.  We are all familiar with the COVID-19 pandemic and its impact on travel, particularly international travel.  However, I encountered this a while back due to a volcanic eruption in Iceland that cancelled my trip to Europe.  Since we had no way of knowing how long the eruption would cause travel disruptions and we were on a tight timeline, we conducted video conferences rather than travel.
  • Geographic locations that are physically inaccessible or difficult to reach.  I personally ran into this situation one several years ago when a data center in Europe that was supposed to be decommissioned before the next assessment remained operational.  The company I worked for had shut down their EU operations and there was no way to justify 16 hours of flight time for a two-hour data center walk through.  We held meetings with the data center operator via video conference and did a virtual walk through.
  • Testing required at a location is limited to documentation and interviews and no observations of processes, systems or physical environment apply.
  • The entity operates a virtual environment without physical premises or facilities.  This has become more and more common with entities that operate in The Cloud.  Why rent expensive office space when there is not need for it?  This situation only got more prevalent with the pandemic and will likely only increase in the future.

As the Council states in their guidance,

“For many assessments, a combination of onsite and remote testing may provide a suitable balance, as it allows for increased efficiencies in the assessment process while enabling an appropriate level of assurance to be achieved in the assessment result.  For example, documentation reviews can often be performed remotely without significant loss of assurance, whereas observations of processes and environmental characteristics will generally require an onsite review.”

Regardless of whether the assessment fits into one of the bullets above, the Council wants QSAs to formally document their analyses of why the onsite assessment cannot be performed and the risks that may present to meeting the assessment objectives.  This analysis needs to be completed prior to starting any testing and is supposed to be a joint effort between the assessor and the client.

Topics that the Council recommends be addressed include, but are not limited to:

  • Confidentiality, security, and data protection requirements.
  • Availability and effectiveness of the remote assessment technologies.
  • Effects on entity’s personnel.
  • Effects on operation support.
  • Assessment scope and completeness.
  • Quality and reliability of digital evidence.

The Council further states:

“During the analysis, the entity and assessor should identify any challenges and potential risks associated with the remote testing and determine whether it is feasible for testing to be thoroughly completed to produce a high level of confidence in the assessment results.

The results of the feasibility analysis—including the risks and challenges associated with use of the remote testing methods, and any mitigating controls for overcoming the risks and challenges—should be documented and agreed upon by both the entity and assessor. A copy of the feasibility analysis results should be included with the applicable ROC/ROV. Entities and assessors may be required to produce the analysis upon request by the PCI SSC or applicable compliance-accepting entity.

The key points from that statement above is that: (1) the feasibility analysis needs to be submitted with the ROC/ROV and, (2) if requested by the PCI SSC or compliance accepting entity (i.e., Brand or bank), the QSA is required to produce the analysis.  As a result, this is a non-optional exercise.

The feasibility analyses must document that:

  • The assessment is feasible to be fully completed at this time using onsite methods, remote methods, or a combination of onsite and remote methods.
  • The assessment is only feasible to be partially completed at this time.
  • The assessment is not feasible currently.

According to the guidance, it is only those assessments that are completely feasible that can be conducted.

The Council includes a very important note regarding the analyses.

“The feasibility analysis determines whether the use of remote testing methods is feasible for a particular assessment.  Determining that a remote testing method is feasible does not guarantee that use of the testing method will produce the level of assurance needed for the assessor to reach a finding; this will depend on how the remote testing method is implemented and used, whether the testing can be completed for all applicable components and areas, and whether sufficient evidence is provided for the assessor to make a determination.  Assessors and entities should continue to monitor and evaluate the effectiveness of the remote testing methods throughout the assessment to confirm whether the testing methods are performing as intended and whether additional testing may be needed.”

This concept of “assurance” appears to all be in the eye of the beholder.  Meaning, if the Council, Brands or Banks determine, in their opinion, that the remote methods are not providing appropriate levels of assurance, the ROC/ROV can be rejected.  Not that a lot of banks are going to reject ROCs/ROVs on this, but I can see the Council’s AQM reviews and Card Brands rejecting ROCs/ROVs on analyses that they deem flawed or incomplete.  The AQM process is the most concerning because a QSAC could end up in remediation due to a failure to appropriately document the remote assessment feasibility.

As with most edicts issued by the Council, they should have produced a form for this feasibility analysis so that everyone understands what is required from these feasibility analyses.  Can the feasibility analysis be documented in section 1.2 of the reporting template or is a separate document required?  I would recommend this for the obvious remote assessments of COVID and everything in The Cloud.  I would recommend a separate document for feasibility analyses that are longer in discussion.

Sadly, I foresee a lot of confusion and heartache in the QSAC community as we move through this new requirement.  That is because I see a lot of assessments that are blocked due to COVID travel restrictions or the assessed entity having no physical offices being rejected for “flawed” feasibility analyses when it should just be allowed with no further documentation or discussion.

It will take time to see how this shakes out.

UPDATE 11/29/2021 – I received a comment on this post (see below) and the confusion is beginning. A service provider has had one of their customers request the documentation regarding what is provided in Appendix A of the remote assessment guidance document as well as the remote assessment feasibility study. Since these are ROC documents, there is no requirement from the Council that requires any organization to turn over their ROC to any third party other than their acquiring bank or the card brands. The AOC is the communication document to third parties. If an organization wishes to turn over Appendix A from the guidance, that is the organization’s decision, but it is NOT mandatory nor it is required by the Council.

14
Jun
21

Last PCI DSS v4 Request For Comments Period

According to an email I received today, the draft validation documents (I am assuming that means the ROC Reporting Template and AOC) will be released on Monday, June 28, on the PCI Portal for QSAs, ISAs and POs to review and comment.

The comment period will be open for 30 days from that date.

Make sure you get your copy, review the documents and generate comments as this is your chance to have input on the PCI DSS.

02
May
21

April 2021 Assessor Newsletter

A couple of interesting items in this month’s Assessor Newsletter that came out on April 30.

All Assessor Webcast

The first thing is the June 15 All Assessor Webcast that will be held at 1430 UTC and will be an hour and a half long. I reached out to some contacts I have and they are all mum as to what could possibly take an hour and half to discuss. Given that the final RFC of PCI DSS v4 might be out by then, it could be there will be a discussion of that document. Regardless, I would recommend everyone sign up to attend this session.

QSA v4 Training

Another little interesting tidbit was in the QSA Program Changes. I do not recall hearing about this in the past, so that is why I found it interesting.

“QSAs can only perform assessments using versions of the standard for which they have received PCI SSC training:

– This requirement only applies to major releases of the standard, it does not apply to minor revisions.

– Once a QSA completes the PCI DSS v4 Transitional Training, an indicator will be added to the QSA Assessor listing on the Website.”

From what I can gather, what this means is that until a QSA has attended the PCI DSS v4 Transitional Training, a QSA will not be able to conduct a PCI assessment using the v4 template. As a result, I am guessing that attendance at these training sessions will be at a premium as QSAs will want to attend them as soon as possible. Hopefully these will be online sessions so that getting into them early are not as big an issue as would be for in-person training.

QSAC QA Questionnaire

For those QSACs that have been looking for the annual QA Questionnaire, it was released on March 24 and is posted on the PCI Portal under the Resources Center. So make sure you download it and go through it as soon as you can.

FAQ of the Month

The final tidbit is regarding this month’s FAQ #1325 entitled ‘Does PCI SSC provide a “PCI DSS Compliant” logo?’.

“PCI SSC does not issue an official PCI seal, mark or logo that companies can use when they achieve PCI DSS compliance. Please note that the PCI logo is a registered trademark and may not be used without authorization. You may not use the marks PCI Compliant, PCI Certified, PCI DSS Compliant, PCI DSS Certified or PCI with check marks or any other mark or logo that suggests or implies compliance or conformance with our standards. If your company is a member of one of PCI SSC’s programs, i.e. PO, QSA, ASV, ISA, or QIR, please contact your Program Manager who can provide a program logo that can be used for members of that program only. Note that authorized use of an applicable PCI logo by a program member is not an indication of that organization’s PCI compliance status or an endorsement by PCI SSC.

April
Article Number 1325″

This ranks up there with FAQ #1220 on the subject of PCI compliance certificates and the fact that they are worthless. Why these continue to be allowed to go on, I do not understand. I suppose until the Council begins putting QSACs in remediation for these incidents, they will continue.

Just thought these topics were worth sharing in case you missed the latest newsletter.




Welcome to the PCI Guru blog. The PCI Guru reserves the right to censor comments as they see fit. Sales people beware! This is not a place to push your goods and services.

June 2022
M T W T F S S
 12345
6789101112
13141516171819
20212223242526
27282930