Another Annual Community Meeting

Another year has come and gone and so has another North American PCI Community Meeting. This one held in the beautiful city of Vancouver, British Columbia, Canada.

I have to say that the new leadership of the Council is showing. I heard many comments from attendees that this year’s conference was better than in years past.

The Good

• The ‘Mobile Forum Roundtable Discussion’ was probably the best session of the conference. That is based on comments from the attendees of this session as well as the comments from other conference attendees that went to the competing sessions. If the Council is looking for how to structure future sessions, this is the format. Participants sat at numbered tables and then each table was given a question on the topic of mobile payments to discuss for half of the session. The last half of the session was a representative from each table presenting the findings from those table discussions. I think the Council’s Mobile Working Group, of whom some members were present, as well as the other attendees of this session learned a lot in an hour and a half.
• There were two notable sessions regarding point-to-point encryption (P2PE) that had nothing to do with P2PE. One was given by First Data regarding TransArmor and the other was given by Caesars International regarding Shift4. Neither of these end-to-end encryption (E2EE) solutions are P2PE validated. In years past, these sessions would never have occurred. Apparently the new leadership at the Council felt it was important to have their stories told to the Community Meeting participants as a more secure way of conducting transactions even though neither is a P2PE solution. I commend the Council for their foresight in holding such sessions.
• Brian Krebs’ Keynote on Thursday was not what I was at all expecting. I expected Brian would mostly rehash stuff out of his latest book as most writers do at these sorts of events. But it was a very informative and enlightening session with a lot of good information. For those who regularly read his blog, a lot of the stories he gave we had already heard but not with the personal touches he gave them. If anything, people walked away with a better understanding of why card data is sought after by the underground.
• As always it was great to get together with everyone involved in PCI and meet a lot of you. The nightly receptions were excellent as were the session breaks. It always amazes me how many people just walk up and introduce themselves to me at these meetings. I really appreciate the fact that so many of you find the blog so useful as well as providing people with a voice in sharing frustrations with PCI and the process. Thank you to all of you that read this blog and find it useful.

The Not So Good

• The Thursday “TED Talks” format was so-so. While it was definitely the talk at lunch and afterwards at dinner, it was not viewed as a highlight. As I coalesced the comments I heard, I do not think it was not the format as much as not all of the topics presented belonged in such a format. For anyone that has seen or been to TED Talks, they are very, very high energy and involve a passion for a topic that was not completely present in those Thursday sessions. If this is a format the Council wants to use going forward, then the topics are going to have to have a much higher energy to them and be much more important to discuss.
• I had to chuckle at the vendor booths that were pushing their “silver bullet” solution for PCI compliance. There were only a very few of these “snake oil salesmen” present, but there they were saying they could put parts of your environment completely out of scope for PCI compliance. I thought we were long past such claims, but apparently not.
• As with any such event, I saw a lot of people that I really wanted to talk to and just did not get the chance to catch up with them.
• I unfortunately ended up with a number of client and emergency meetings I needed to attend during the conference. As a result, I had a few interruptions and could not attend a number of the sessions I really wanted to attend.

The Notably Missing

• Professional Breakout Sessions were missing. This is a PCI conference that brings together qualified security assessors (QSA), internal security assessors (ISA), approved scanning vendors (ASV) and participating organizations (PO). Yet, there were no breakout sessions for those participants to meet with anyone from the Council. You would think that getting feedback from each of these important groups would be important to the Council. Other than these groups going individually to the Council’s office on “Card Brand Row”, there was no program for these important constituents to get together and voice their concerns. One would think this is a key part of why you hold such an event yet this piece was missing.

Overall though this year’s Community Meeting was probably one of the better ones I have attended.

See you all next year in Las Vegas.

Advertisement

2014 North American PCI Community Meeting

Another year has come and gone and so has another PCI Community Meeting.  There were a number of interesting events at this year’s meeting.  Some I will cover here and some I still have to digest and determine what they really mean.

Good Bye Bob

This year’s meeting is the last one for the PCI SSC’s current General Manager, Bob Russo.  Over the years, Bob has been a good sport and has been a cowboy and other characters.  This year’s community meeting was no exception.  At Wednesday night’s networking event, Bob showed up as Gene Simmons’ brother decked out in silver colored platform boots, black tights, leopard spotted top, long black hair and doing his best to show off his tongue.

A lot of us over the years have pilloried Bob for various edicts and clarifications as he was the leader of the Council.  However, if we step back, Bob got the PCI SSC off the ground and took on the thankless task of combining the disparate security standards of the five card brands and giving us the common set of standards we have today.  As well as then asking us to do our best to ensure that those standards were followed.

Even though I have been critical at times of Bob, he has always been pleasant and cheerful to me and others at the community meetings and other events where he was present.  Bob recognized that there are always some of us in the crowd that are very passionate about security and tried to assist us in channeling that passion.

Bob stated that he will be doing a “Goodbye Tour” to the other community meetings this year, so make sure to thank him for his efforts, shake his hand and say your goodbyes at whatever meeting you are able to attend.

P2PE v2

The first versions of P2PE were lambasted for being pointless and the number of solutions certified, now at six, has somewhat proven that the newest of the PCI standards needed some work.  As a result, in November 2014 we will receive version 2 of the P2PE standard.  According to people I spoke with at the meeting that have seen the new version, the new standard should be much better. Is it perfect, no. But it supposedly is a better version than the originals.

The most notable change to the standard is the approach the Council has taken.  Based on the presentation made, they seem to abandoning the complete end to end model and are moving to a component approach based on how the solution will be implemented.

But the huge change to the standard is that a certified P2PE solution can be managed by a merchant without a third party.  That is, merchants can manage the encryption keys.

It will be interesting to see just how much the standard has changed since its last iteration only a year ago.  But most of all, it will be interesting to see how the new implementation approaches will work.

SAQs

The biggest clarification to come out of the community meeting on SAQs is the Council’s and card brands’ endorsement of using multiple SAQs for documenting compliance with the PCI standard versus doing an SAQ D.

This situation occurs when a merchant has multiple payment channels such as with merchants that have retail stores using traditional card terminals (SAQ B or B-IP) and an eCommerce presence that is outsourced (SAQ A or A-EP).

The other area of discussion that seemed to cause a bit of a stir was related to Web sites that use redirects or iFrames for payment processing.  The reason for this contention is the result of claims from vendors of these sorts of payment solutions in the past that claimed that their solutions placed merchants out of scope for PCI as it related to their eCommerce operation.

Ever since the issuance of the eCommerce information supplement in January 2013 and with the recent issuance by Visa of their eCommerce guidance, the outsourcing world has been buzzing about the implications.  Merchants of course have been going back to their eCommerce outsourcers and complaining about the fact that their eCommerce is no longer out of scope.

Reliance On Other’s Work

My final comment will be related to a question I asked at the Open Forum session on Wednesday.  We have been getting push back from our larger clients on our limited use of their internal audit work, SSAE 16 reports, ISO 27K audits and similar work, if we used it at all.  The driver is that clients want to minimize the amount of disruption to their personnel by all of the audits and assessments that are occurring these days.  This prompted me to ask the question at the Open Forum as to the Council’s advice on reliance on other auditor’s work to reduce sampling.

The answer I received was, “No, absolutely not.”  Quickly followed by, “Of course, I mean other auditors, not other QSAs and PA-QSAs.”

This blunt answer apparently shocked the audience as the people on stage reacted to that shock as well.  The people onstage then backed off saying that the Council would have to take the issue back and discuss it.

After asking this question I was approached by a number of people thanking me for bringing up the topic.  The bottom line is that organizations are audited and assessed out.  Most feel like one audit/assessment ends and another one begins.  But the truly annoying thing is that there are certain portions of all of these audits/assessment that cover the same ground over and over and over again such as with physical security, access controls and end user management.  Handled properly, it would not eliminate all testing, but it would definitely reduce the amount of testing and also reduce sample sizes.

But a very telling comment came from a member of the American Institute of Certified Public Accountants (AICPA) who told me that the AICPA has repeatedly tried to meet with members of the PCI SSC to discuss the SSAE 16 standard and how it could be used to reduce a QSA’s work only to be rebuffed by the Council.

Organizations would be more willing to go through PCI assessments if work done by their internal auditors as well as outside auditors could be leveraged to simplify their lives, not complicate them.  This will only become more important as the Council pushes organizations to adopt business as usual (BAU).

If I had one important take away for the Council to work on, it would be to work with other standards bodies such as the AICPA, ISO, FFIEC and the like and work toward providing guidance to organizations on how to use internal and external audit reports.

The 2010 PCI Community Meeting

It is that time of the year.  Time for another get together with the PCI SSC, the card brands, participating organizations and QSAs.  This year’s meetings are in Orlando and Barcelona.  Unfortunately, I am not going to be in attendance due to scheduling conflicts.  Since I will not be able to attend, I thought I would provide a topic for discussion.  I want to get the PCI SSC to repeal their inane Report On Compliance (ROC) report writing standard.  This standard has become onerous and, in the end, has become “make do” work.

To understand this situation, you need a bit of history.  Until last year, the only proof that the PCI SSC and the acquiring banks had to prove a QSA had done their job properly was to read the ROC.  The ROC was required to contain references to all of the documentation, interviews and procedures they had observed to ensure that an organization was complying with the PCI DSS.  As a result, this caused the PCI SSC to develop an extensive grading and scoring spreadsheet that is used to determine if a ROC covers everything it is required to cover.  Each test may have any of the following components.

• Observation;
• Interview;
• Documentation;
• Process/action/state; and
• Network monitoring.

Each of these components may be assessed one to four scoring points depending on the number of occurrences that may be contained in the given test.    A ROC must score better than 75% in possible points to avoid remediation.  But the PCI SSC expects that a ROC should score no lower than 95% of possible points.

The PCI SSC has instructed QSAs that each test in the ROC must be able to stand on its own.  This means that one test is not allowed to reference another test.  As a result, QSAs must replicate of a lot of information throughout the report.  This obviously introduces the potential for errors and omissions in the report as well as making the report unnecessarily long.

To ensure the report writing process is truly questionable, the PCI SSC recommends that QSACs develop pre-written templates so that all of the components get covered for each test.  While a template speeds the report writing process, I would still estimate that the report writing process consumes at least one-third to one-half of a PCI assessment’s budget.  Not only does it take time to write, but it takes a lot of time to proof and to review.

As I stated earlier, last year, the PCI SSC began requiring language in all QSA contracts that grants the PCI SSC the right to examine any QSA’s work papers.  AS a result, one would think that this report writing standard would no longer be needed, but it is still in place.

Because a lot of our clients use hosting services, we get to see a lot of ROCs that have been prepared by other QSAs.  You can really tell those QSAs that have not been through the PCI SSC QA process by the fact that their ROCs are very short and lack detail.  But for those QSAs that have been through the QA process, based on my review of their ROCs, the grading scale seems to have caused QSAs to worry more about how the ROC is written and not necessarily on the actual assessment of the security practices of their client.  A lot of the writing is more about meeting the scoring template and not about the controls.  In some cases, the writing starts you to wonder if the control is really in place.

ROCs can become inordinately long because of the replication of the same information over and over.  During our QA remediation, we were told that the average ROC ran around 180 to 200 pages however I have yet to see one produced by us that is under 250 pages and we seem to average around 350 to 400 pages.  I have heard from some reviewers at acquiring banks that the only worthwhile information in these tomes is anything that is not in place and any compensating controls.  If that is all that is getting read, then what is the point of all of this other information that is being ignored?  The point is that it remains the way that the PCI SSC ensures that QSAs are doing their job.  And as I stated earlier if the writing makes you question if the control is in place, then what is the quality of all of this writing?

Now that the PCI SSC has the right to review a QSA’s work papers, there is no reason to require all of this pointless verbiage in the ROC.  QSAs should be able to have one column for each requirement in the report labeled ‘Status’ and the entry in the column is either ‘In Place’ or ‘Not In Place’.  If something is not in place, then the column next to it, labeled ‘Comments’, should document what is being done to bring a requirement into compliance and when that will occur.

If the PCI SSC is not comfortable with this approach, then maybe they have the wrong organizations as QSACs and they need to get rid of those that cannot conduct the work to professional standards.  This approach works for financial auditors, there is no reason it cannot work here.

Have a good time in Orlando or Barcelona.