New QA Review Toughens PCI Assessors

Guest Columnist David Taylor is the Founder of the PCI Knowledge Base, Research Director of the PCI Alliance and a former E-Commerce and Security analyst with Gartner.

The number one complaint that we hear in our research on the PCI standards is that they are "absolute"—that there is no recognition of differences in risk across the various controls and that this posture promotes a "checklist mentality" and ineffective implementation and enforcement.

But we see that changing with the 1.2 version. However, many merchants have done little to formalize their IT risk management process, and simplistic spreadsheets with arbitrary (or non-defensible) risk levels and a cute "stoplight" (i.e., red, yellow, green) summary are common. Beginning with PCI 1.2, merchants need to take IT risk management more seriously, because it can save them money. The ability to "prove" to an assessor or acquiring bank that controls are effective in reducing risk will be increasingly important in reducing PCI scope and costs.

Network segmentation is still not a requirement, for some reason, but it's the single action that will save you the most money in the assessment. With the 1.2 version, there is increased focus on proving that the network segmentation is "adequate." A network diagram is required as well.

But, more importantly, a merchant needs to evaluate and quantify the risk associated with having a flat network, based on the number of access points and the ability to monitor and track this access. There are network monitoring tools that can tell you, continuously, of attempts to access specific network resources. Reports from these tools can quickly demonstrate to an assessor, acquirer or upper management the impact of different network segmentation schemes. This is one way to quantify risk and, thereby, to reduce PCI scope.

Store Sampling Process and Documentation. PCI 1.2 includes additional focus on sampling facilities outside headquarters. The goal of the sampling process is to understand the risks posed by the stores, because many security breaches originate there.

In this case, the key to reducing scope and assessment cost is being able to prove that store systems are configured consistently and any "gold load" configurations are followed. Just showing the assessor or acquirer a configuration document means little if the merchant cannot provide "reasonable assurance" that the configuration standards are being followed.

We have talked with many leading merchants who use configuration management tools. Even if they don't have enough new servers each month to justify the cost of "automating" initial configuration, the ability to place server configuration under change control is valuable for both PCI requirement 2 and requirement 10. This is another case where the use of automated tools can reduce manual effort while also serving to document the configuration consistency. These tools can pay for themselves because they can be used to justify a smaller store sample size, which will reduce the costs of the PCI assessment.

Although merchants too often use compensating controls as a PCI cost-cutting technique, these controls are really the heart and soul of risk management relative to PCI. Compensating controls may only be used if they can reduce the risks posed by the absence of the required controls. Therefore, a weak process for documenting and quantifying risk usually shows up in poorly defined compensating controls. In turn, this can cause compliance failure and additional assessment and technology costs, because if you cannot prove your compensating control reduces the risk, you'll have to (typically) pay to implement the required control.

There is increased focus and clarity in 1.2 regarding how to use compensating controls. For example, you must document how any compensating controls provide a "similar level of defense" and that they "sufficiently offset the risk" vis-�-vis the original control. One of the techniques for reducing cost and continuing to use compensating controls is to define a clear testing process for each control that is easy to review and objectively validated. This is another area where automated tools (e.g., for change management) can prove valuable in helping merchants provide ongoing validation for the risk reduction provided by each of the compensating controls, thus reducing costs.

Third Party/Outsourcing Risk. One area where IT risk management is typically weak is in how the risk of outsourcing and other uses of third parties is treated in the analysis. In the vast majority of cases, there is no risk analysis of the process of selecting third parties and little or no quantification of specific risk factors. There may be an overall "insource/outsource" analysis, but it is typically cost-driven or perfunctory to justify a decision post hoc.

In PCI 1.2, there is specific mention of the need to prove due diligence as to risk "prior to engaging" a service provider and the need to prove ongoing "monitoring" of compliance status. To prove this to an assessor, you may be able to get away with a simple "stoplight" style analysis.

But to properly manage and monitor these third parties, some form of data collection needs to take place. Meeting the "monitoring" requirement can almost certainly be done with anything from a simple online (or E-mailed) questionnaire to a requirement to submit IP scan results or other automated reporting.

Although the requirement does not say it explicitly, this should be done more often than once a year. Automated monitoring (of any sort) is certainly less costly than doing facility visits and it provides a better risk-based justification, particularly if there should be any problems, such as a breach.

The "Risk Sensitivity" of Assessors and Acquirers. Merchants have often complained that assessors are not aware of, or sensitive to, real IT risk. After speaking with many assessors and those who train them, we've heard clearly that assessors are being trained to be more sensitive to proven risk. As a result, being able to prove to an assessor that you understand, and can quantify, your risks is the best way to win over an assessor.

This is even more of an issue with working with your acquirer. Financial institutions are more "risk focused" than merchants. Compliance officers have told us that they want to see a risk management process in place that provides clear quantification and evidence that the merchants understand their IT risks, particularly relative to credit card data. In short, the ability to prove to an acquirer or assessor, through the use of objective, automated tools (if possible) the impact of specific controls (or compensating controls) is key to winning arguments and, therefore, to reducing compliance costs.

If you have a question about PCI 1.2, you can ask the PCI Knowledge Base panel of more than 75 PCI experts in our discussion forums. Also, if you're a retailer, we want to get you involved in the PCI Best Practices study we're doing with the National Retail Federation. It's 100 percent anonymous. Just send us an E-mail at [email protected]