The PCI Council may have thrown a compliance lifeline to retailers that are missing a required quarterly external vulnerability scan. This means you might—just might—be deemed PCI compliant even if through accident, poor planning or sheer blockheadedness you manage to screw things up and miss a vulnerability scan. Passing isn’t easy, and a successful result is not guaranteed. But if you do everything else right, your QSA may be able to assess you as compliant in spite of yourself. Then again, did the Council both offer an option and take it away?
During an onsite assessment, QSAs confirm that merchants have met PCI Requirement 11.2 by examining the passing vulnerability scans for each of the last four quarters. The problem is, what if the merchant has missed a scan? If this happens, is the merchant noncompliant until it can get four quarters of passing scans? Ouch.
Noncompliance could lead to trouble with your acquirer, fines or worse while you wait for the calendar to come around. Unlike a previous suggestion that your only recourse was to get hold of Dr. Who and travel back in time to order the missing scans, the PCI Council may let you still be deemed compliant.
QSAs are taught at our training that merchants need to pass four quarterly external scans to be compliant. The Council’s FAQ on the topic (#8709) states: “To be considered PCI DSS Compliant, an entity is required to pass each quarterly ASV [Approved Scanning Vendor] Scan.” That sounds pretty cut-and-dried. But QSAs also are taught that for any PCI Requirement (except 3.2--storing sensitive authentication data) there can be a compensating control. So now the question becomes, what would a compensating control for missing vulnerability scans look like?
A starting point is the November 2009 PCI Council guidance with which your QSA will be familiar. It provides some idea of how a merchant can be compliant while missing a quarterly scan. Specifically, if your QSA believes you met the intent of Requirement 11.2 and your risk has been sufficiently addressed through your practices, the QSA can assess you as compliant even though you did not meet 11.2 exactly as stated (i.e., the four quarterly passing scans).Those “practices” would be having all your other controls in place as part of your overall vulnerability management. For example: timely patching of all systems; conducting internal and external penetration tests whenever there is an application upgrade or infrastructure change; and having your quarterly internal vulnerability scans in place. For good measure, I’d add implementing an internal procedure so you don’t get in this fix again next year. With this approach, you might just be able to work with your QSA to make the case that you met the spirit and intent of 11.2.
Keep in mind that the QSA will not necessarily have the final word. Your acquirer needs to be comfortable with any control because they have to accept your Report on Compliance (ROC) or your Self-Assessment Questionnaire (SAQ) if you self-assess. Don’t assume your acquirer will give you a pass.
We can speculate whether a similar approach would work with other ongoing PCI requirements, such as log and firewall rule set reviews. Based on the PCI Council’s position and remembering that the acquirer has the final word, your QSA would be empowered to use his judgment in documenting and assessing the adequacy of your controls. Just don’t stretch things too far.
Vulnerability scans are a critical piece of any risk management program. Scans detect vulnerabilities you need to fix. The bad guys are scanning you right now, so why in the world don’t you want to know what they are learning?
The Council deserves credit for trying to square the circle; that is, reconciling a point-in-time assessment with a requirement that is historical in nature and truly unfixable if missed. The problem is that the Council’s guidance is not consistent.
On the one hand, it says missing an external scan won’t necessarily cause you to be noncompliant, so long as all the risks are being sufficiently addressed. But how in the world can you be addressing all your risks and then blow it with something as obvious as missing an external scan? All you had to do was to take 10 minutes and schedule them for the coming year.
Empowering the QSA is fine in theory. But what happens if (when?) the merchant is breached and forensics shows the cause to be an unresolved vulnerability that a scan would have caught? The merchant gets a whopping fine, and the only solace for me, the QSA, is mumbling the Council’s guidance to myself while standing in the unemployment line. Sweet. I think I’m going to keep the Dr. Who option open.
What do you think? How do you make sure you pass all your scans? I’d like to hear your thoughts. Either leave a comment or E-mail me at [email protected].