Archive Page 2

11
Mar
20

Remote Assessment Guidance Issued

The PCI SSC has issued guidance in response to the Covid-19 pandemic and conducting on-site fieldwork for PCI assessments.  Their blog post can be found here.

Given that governments around the world are saying that this pandemic could be ongoing until the summer, I would suspect that the Council will have to issue better guidance than what is in their latest blog post.  So I would expect more to come on this topic in the coming weeks.

03/19/2020 UPDATES: The Council has set up a Web page to track any Covid-19 updates. Also, remote assessments guidance has been provided and are allowed given the current pandemic conditions. Key is to discuss a remote assessment with the banks and/or brands involved.

08
Mar
20

The End Is NEIR – More Information And Clarity

Let us try this again, shall we?

I heard recently about a new PCI acronym – NEIR – from a variety of people.  It seems to be that being the PCI Guru, everyone just assumes that I knew what NEIR was about.  I was totally stumped.  I had no idea what it stood for and various internet search engines were worthless, so I contacted people in my network to get educated.

After a number of communications with a variety of contacts, I was able to find out that this acronym is a new service offering from one of the larger QSACs in the United States.  NEIR it turns out stands for Non-listed Encryption Implementation Review.  According to the people I communicated, this review results in a Report of Functionality (ROF).

After posting the original post, I was contacted by the QSAC regarding issues with that original post.  After a number of email exchanges, we realized where we needed clarifications, where there was confusion, and what needed to be corrected.  Based on what I was told by the people I communicated and what the QSAC explained, there is obviously a lot of confusion regarding NEIR.  The QSAC is going back to clarify a few items on their side and I rewrote this post to reflect my new understanding of NEIR.

The first piece of confusion was that NEIR was created by the PCI SSC.  It was not, it was created by the QSAC who then ran it past some people at the Council to make sure they were not doing something wrong.  Why my sources at the Council did not remember it is likely because it did not go against any practices expected by the Council and therefore was forgettable in their minds.  However, in using the word “vetted” in the QSAC’s description of NEIR, it seems to have created an impression with some people that NEIR was somehow officially approved by the Council which was not accurate. The QSAC is addressing that issue going forward.

The second piece of confusion was that NEIR is mandated for PCI compliance.  Where this confusion I am sure comes from is based on what NEIR addresses.  NEIR is a process to assess the implementation of an end-to-end encryption (E2EE) payment solution that has not gone through the P2PE validation process for scope reduction.

As a reminder, if a merchant has an E2EE solution and thus desires P2PE scope reduction for their assessment, then the implementation of that E2EE solution must be performed to ensure it actually protects the payment information and reduces scope.  The results are then shared with the merchant’s processor/bank and the processor/bank must give written approval to the QSA for P2PE scope reduction.

That assessment process is mandatory if a merchant expects P2PE scope reduction.  Every QSA that encounters an E2EE solution must go through this sort of assessment process and then gets explicit approval for P2PE scope reduction from the merchant’s processors and/or banks.  If not performed, then P2PE scope reduction is not allowed for the assessment.

With NEIR, the QSAC has codified that E2EE assessment process for consistency resulting in the ROF for the processor/bank to review and formally approve the scope reduction.  I posted about this sort of process a while back which the QSAC’s representative referenced in our communications.

However, as it unfortunately happens with these sorts of things, communications get bolloxed up and what prospects are told versus what they understand is not one and the same.  This is what I heard all about as I tried to figure out what was going on.  People were inconsistent in what NEIR was about and how it worked and since I did not get any materials from those people due to NDAs, I could not confirm or deny what they were saying was accurate.  The only consistency was that it was required for PCI compliance and that it was the Council that required it.  It took discussions with the QSAC to get to the bottom of all of this and clarify the situation.

So, there you have it.  Now you know about NEIR.  So, if you encounter it, you know what you are dealing with and what it addresses.  Nothing new, just one QSAC’s take on a process to assess E2EE payment solutions for P2PE scope reduction.

29
Feb
20

PCI DSS v4 Update

QSAs, ISAs and ASVs got the monthly PCI Assessor Newsletter on Friday, February 28, (or should have) and there were two items that I thought should be shared with the larger audience because v4 keeps coming up in conversation and due to the non-disclosure agreements (NDA) we are under, the PCI community has largely been silent on the topic.

So while I may get in trouble for sharing this information, I feel it needs to be shared because, as Aristotle is attributed as saying, “Nature abhors a vacuum.” Thanks to human nature and our silence, that vacuum has been filled with speculation and rumor about v4. The problem with all of this is that NOTHING has been finalized about v4 and will not be finalized for a while. So what you may have heard about v4 is what was in a first draft and who knows if it will end up in the final version?  No one will know that until the Council publishes the final version.

These two statements go a long way in helping everyone outside of the PCI assessor and participating organization communities to understand what is going on and hopefully will dispel a lot of those rumors and speculation.

Reminders about the Draft PCI DSS v4.0
As the PCI Security Standards Council continues to review over 3,200 feedback items received during the Draft PCI DSS v4.0 RFC period, we would like to remind you about a few important points.

We still have a lot of work ahead of us on PCI DSS v4.0, and we want to confirm that there is still at least a year before the standard is finalized and at least 2 years before PCI DSS v4.0 will be required. We strongly urge all entities to wait until the final version of PCI DSS v4.0 is released and that entities should not be trying to implement any new or updated requirements included in any PCI DSS draft before the final release! Please remind your clients that PCI DSS v4.0 is still draft only and does not supersede PCI DSS v3.2.1. Any actual changes, including new and updated requirements, for PCI DSS v4.0, will likely be quite different in the final, published version.

Also, note that the draft version of PCI DSS v4.0 is no longer available through the RFC portal (or otherwise). It was only available in the portal during the RFC period (28 October to 13 December 2019). We have already started making changes to the PCI DSS v4.0 draft as part of our RFC feedback review process.

We will provide PCI stakeholders with another opportunity to review the next draft of PCI DSS v4.0 via a second RFC later in 2020. We will provide more details as we progress. Stay tuned for further communications from us about your feedback and the next PCI DSS v4.0 RFC. More information about our upcoming RFCs and our RFC process can be found on our Request for Comments page.

Responsibilities for Sharing the Draft PCI DSS v4.0 RFC Materials
We are aware that some assessors are sharing information about the Draft PCI DSS v.40 RFC outside of their organizations. This article is intended to remind assessors of their obligations in this regard.

The draft PCI DS v4.0 and all supporting documents provided within the portal during the RFC period are shared strictly under NDA, which prevents you from using or quoting the content from any RFC documents outside of your organization. Access to RFC content and participation in RFCs is a benefit reserved for PCI SSC stakeholders. That being said, we do encourage PCI SSC stakeholders to help raise awareness in the payments industry around the planned update to PCI DSS and it is permissible for your organization to share information about PCI DSS v4.0 based on publicly available information from the Council, which is available in PCI SSC FAQs, blogs, and PCI SSC presentations from Community Meetings and other PCI SSC public events.

If you do share information from the Council about PCI DSS v4.0, reiterate the following in any material your organization presents or publishes:

  • Information provided is your company’s opinion and does not represent the position of the Council. For information from the Council on PCI DSS v4.0, they should visit the PCI SSC website.
  • Information about PCI DSS v4.0 is based on an early draft of the standard that will most likely change significantly over the next months.

So there you have it straight from the source.

Again, the bottom line is that NOTHING about v4 has been finalized and it will be a while before it is finalized and made public. So focus on complying with v3.2.1 and the Council will let us all know when v4 is ready to roll out.

20
Jan
20

PCI Dream Team LIVE!

We finally have a date and time for the LIVE PCI Dream Team session at Secure360 in Minnesota.  The PCI Dream Team will be appearing on Tuesday, May 5, at 1:15PM in Waconia 2.  Secure360 is the oldest, largest and best security event in the Upper Midwest.

As with all PCI Dream Team events we will be accepting your questions through our pcidreamteam AT gmail DOT com email account. (You can always submit questions through this email address and we will address them at our next session).

This year’s Secure360 will be at Mystic Lake Center which is a great venue near Prior Lake southwest of Minneapolis.

We look forward to seeing all of you there!

 

26
Dec
19

The PCI Dream Team Kicks Off The New Year

On Tuesday, January 14, at 1800 UTC (1PM ET) the PCI Dream Team will be back in session on BrightTalk for one hour.  If you would like to attend, please register here. As always, the session will be recorded for playback at a later time.

While you can submit questions during the BrightTalk session, do not forget that you can also submit your questions for this Dream Team session at pcidreamteam AT gmail DOT com. We will do what we can to get to all questions during our hour.

Also, the PCI Dream Team will be doing a LIVE session at the 2020 Secure360 conference in the Twin Cities of Minnesota on May 5 – 6 (time and date yet to be determined). So if you want to attend a great security conference and get to meet and greet the PCI Dream Team, please attend Secure360 in 2020.

08
Dec
19

Are You A Level 2 Merchant? Beware The MasterCard Trap

I had a discussion with a prospective client and as things usually go you want to determine their merchant level.  As it turned out, they were confused about the differences between Level 3 and Level 4 and their bank was just as confused.  The merchant had a 2 to 1 advantage in Visa transactions (around 800K) over MasterCard and, in total, had more than one million transactions across all card brands.

When their bank couldn’t decide their merchant level, the bank referred them to Visa since the bank was affiliated with Visa.  Visa informed the merchant that they were considering them a Level 2 merchant because of the high volume of eCommerce transactions (80%+) and their total transaction count for all payment cards (around 1.3M).

With this information in hand I said, “Well, it looks like you’ll be doing a ROC.”

The CFO at the other end of the WebEx exclaimed, “Say what!  Why do we need to do a ROC?  The standard says we can do a self-assessment!”

Sadly, another merchant gets caught flatfooted by the card brand rules.  People think that the PCI DSS and other PCI standards are all they have to worry about for card payment compliance.  However, the card brands (i.e., Visa, MasterCard, American Express, Discover and JCB) also have their own security programs in addition to the PCI standards and those also need to be followed.  Think that is not the case?  That Merchant Agreement from the bank that someone in the merchant’s organization signed calls out that not only do PCI standards need to be followed but also the rules from the card brands the merchant has agreed to accept for payment (almost always Visa and MasterCard with one or more of the others) also need to be followed.

One of those “quirks” in the card brands’ programs that comes up is this one regarding Level 2 merchants and MasterCard.

The first thing everyone needs to remember is that if a merchant is at a certain merchant level for one card brand, they are at that merchant level for ALL the card brands.  The second thing to remember about merchant levels is that any of the card brands can set the merchant level for a merchant regardless of transaction volume.  I have had merchants end up as a Level 1 merchant with fewer than 30K transactions all because the dollar value per transaction was extremely high as with business to business (B2B) transactions.

With that information, a merchant now needs to go to the card brands’ Web sites for the brands you accept and review their rules.  If you go to the MasterCard Web site to the page titled ‘What merchants need to know about securing transactions’ and scroll down to the merchant level requirements for Level 2, you will see footnote 3 next to the requirement “Onsite Assessment at Merchant Discretion”.  That footnote states the following:

“Level 2 merchants that choose to complete an annual self-assessment questionnaire must ensure that staff engaged in the self-assessment attend PCI SSC ISA Training and pass the associated accreditation program annually in order to continue the option of self-assessment for compliance validation. Alternatively, Level 2 merchants may, at their own discretion, complete an annual onsite assessment conducted by a PCI SSC approved Qualified Security Assessor (QSA) rather than complete an annual self-assessment questionnaire.”

For an organization to get an employee trained as an ISA, you need an employee with backgrounds in compliance and technology.  Typically, this would be someone in the internal audit department that a lot of Level 2 organizations do not have or if they do have, the people do not have the time to take on PCI. Then there is the cost which is $3,100 USD plus travel expenses since most ISA training is not done locally unless you are lucky. And finally, there is the employee retention issue after such an investment.

In the end, most Level 2 organizations do not see the cost benefit of training one of their employees to be an ISA in order to do an SAQ.  As a result, that is why I get to my comment about Level 2 merchants doing a ROC.

Oh, and for the record, the PCI standards do not dictate which organizations can fill out a self-assessment questionnaire (SAQ) and which fill out a Report On Compliance (ROC).  The card brands dictate that based on merchant and service provider levels.  In this case, MasterCard has its own ideas in that regard when it came to Level 2 merchants.

08
Nov
19

Why The Roaring Silence About PCI DSS v4?

So, it has been over a week since v4 came out in draft for comments from QSAs, Participating Organizations and other stakeholders. Yet there has been nary a peep online about it even from The PCI Guru. I know a lot of people are pinging me and complaining because they want to know what is going on.

I would love to share my observations and opinions, but …

The Council made us all agree to a Non-Disclosure Agreement (NDA) that does not allow us to openly discuss the new version of the PCI DSS outside of our own organizations.  Because of this, you should not hear word one about the new version until the Council tells us it can be openly discussed.

It is not that we do not want to share. It is that we are not legally allowed to share.

So please be patient.

Update: From the November 2019 Assessor Newsletter.

Can I share information about PCI DSS v4.0 outside of my company?
We have received several inquiries about whether POs, QSAs, and ASVs are permitted to share information externally about PCI DSS v4.0, and if so, what information can be shared with other organizations. We encourage PCI SSC stakeholders to help raise awareness in the payments industry around the planned update to PCI DSS; however, access to RFC content and participation in RFCs is a benefit reserved for PCI SSC stakeholders. It is permissible for your organization to share information about PCI DSS v4.0 based on publicly available information from the Council, which is available in PCI SSC FAQs, blogs, and PCI SSC presentations from Community Meetings and other PCI SSC public events.

Note: The content of the RFC documents is strictly under NDA and cannot be shared, used, or quoted.

If you share any information about PCI DSS v4.0, as referenced above from publicly available materials from PCI SSC, you are asked to please reiterate the following in any material your organization presents or publishes:

  • Information provided is your company’s opinion and does not represent the position of the PCI Security Standards Council. For information from the PCI Security Standards Council on PCI DSS v4.0, individuals should visit the PCI SSC website.
  • Information about PCI DSS v4.0 is based on an early draft of the standard that will most likely change significantly over the several months.

Thank you for help in increasing awareness of PCI DSS and for your cooperation with these guidelines. It will help minimize confusion and ensure that clear, consistent, and accurate information is being communicated to the payments industry.”

Screen Shot 2019-12-16 at 1.32.38 PM

29
Oct
19

PCI DSS v4 Draft Is Out

According to a PCI SSC Blog post, the Request For Comment (RFC) phase has started for the newest version of the PCI DSS.  The draft can be obtained at the PCI Portal (https://programs.pcissc.org/) which QSAs, Participating Organizations (PO) and ASVs have access.  The RFC phase began yesterday and continues though December 13, 2019.

I tried to find the documents in the Portal, but I am guessing that only the Key Contacts for organizations have access.

15
Oct
19

Why Recreate The Wheel?

David Mundhenk at The Herjavec Group and a member of the PCI Dream Team produced a great post about the top 3 PCI DSS concerns of 2019 that everyone should read. Since I am having a bit of a drought writing my own posts, I thought this would be a good one to share. Enjoy!

23
Aug
19

Enjoy Vancouver

Due to a personal scheduling conflict, I will not be in Vancouver for the 2019 PCI Community Meeting. I will miss seeing, visiting and catching up with all of you.

I will be in Orlando for a LIVE version of the PCI Dream Team with Ben Rothke, David Mundhenk and Art “Coop” Cooper at the (ISC)2 Security Congress. We are scheduled for Wednesday, October 30, at 830AM in Northeast E2. If you would like to register for this conference, go here.

Enjoy this year’s CM and hopefully I will be at next year’s event.




Announcements

If you are posting a comment, be patient, as the comments will not be published until they are approved.

If your organization has a PCI opportunity, is in need of assistance with a PCI issue or if you would like the PCI Guru to speak at your meeting, you can contact the PCI Guru at pciguru AT gmail DOT com.

I do allow vendors to post potential solutions in response to issues that I bring up in posts. However, the PCI Guru does not endorse any specific products, so "Caveat Emptor" - let the buyer beware. Also, if I feel that the response is too "sales-ee", I reserve the right to edit or not even authorize the response.

Calendar

July 2020
M T W T F S S
 12345
6789101112
13141516171819
20212223242526
2728293031  

Enter your email address to subscribe to the PCI Guru blog and receive notifications of new posts by email.

Join 2,264 other followers