Auditors shouldn't be pitching remediation services or products to bring a company into compliance with PCI DSS rules, but some merchants are reporting the practice, according to Diana Kelley, vice president and service director at the Burton Group.
"That's a big red flag if that happens to your organisation," she said. "If that happens … consider going with a new QSA." Kelley said qualified security assessors should do the PCI compliance assessment and may give some guidance. If an assessor offers a remediation service or a specific product, they should be reported to the PCI Security Standards Council, she said.
You have said that some merchants are being pitched by auditors for products. Is that really the case?
Diana Kelley: When you choose an auditor there is a list on the PCI Security Standards Council Web site that you could go to that tells you who is a qualified security assessor (QSA). If they are not on the QSA list they haven't passed the PCI Security Standards Council-approval process to be an assessor. There are some assessors who are actually trying to pitch at the same time they're in the assessment process. They will go in and remediate for you or they will pass you if you purchase a specific product from them because that will meet PCI. That's a big red flag if that happens to your organisation. The QSAs are there to do the PCI compliance assessment. They may give some guidance around remediation or around a specific kind of control. They can give that kind of guidance but if they say "pay us to fix it and we'll pass you," or "buy this product from us," that's really stepping outside of the bounds. If you do have a QSA that does that you should report it to the PCI Security Standards Council.
What is the scope of a PCI audit?
Kelley: In some cases the scope depends on the one that is being audited. The QSA who comes in to do your audit has to follow the security audit procedures which sync to the 12 requirement steps within PCI DSS. How big your payment ecosystem is, is very much the responsibility of the merchant or retailer because if you haven't done any zoning or firewalling of you payment ecosystem then your entire network could potentially be in scope. I highly recommend that you don't do that. So, scope down the payment ecosystem. Make sure that the systems that are handling credit card information and transactions are cordoned off from the rest of your network and in their own separate zone so that the scope is limited to that cordoned-off area. For more information on the scope, merchants, retailers and payment service providers can look at the security audit procedures. I highly recommend that.
Some companies have said they are frustrated that auditors are interpreting the rules differently. Is this an issue?
Kelley: PCI was hailed as one of the few standards that had come out that was very prescriptive. PCI gets to the level that you have to have antivirus, you have to have intrusion detection and that's a level of prescription that we haven't seen in some of the other controls that have come out. But when you really look at the security audit procedures, there are areas where you can have different levels of interpretation or subjectivity.
What are some of the other challenges to PCI DSS compliance?
Kelley: Understanding the rules is one of the biggest holdups. When I was doing research a big one was how to deal with the 3.1 encryption related to the primary account number and how do I also deal with the key management around if I choose to encrypt with that. Another problem is understanding how to control access to that credit information so that you could meet the monitoring requirements and access control requirements of PCI because in some cases it means going back and rebuilding applications and making changes that the organisation hadn't anticipated doing. That could create quite a bit of work for the people involved.
What are compensating controls and what can companies do to alleviate some of the confusion around them?
Kelley: They are offered as an alternative way to protect credit card information at the level that 3.1 stipulates when it says encryption. The compensating controls are about the zoning and access control around that primary account number. Organisations can do that as an alternate. Talk to your assessor to make sure that what you posed is considered a compensating control that gets you to the level of protection of 3.1 that encryption would have. Also, rather than encrypt, you have the option to truncate the primary account number, one-way hash it, making it not usable for anybody else. You could still use it as a unique identifier. Another thing to look at in the compensating control world is whether you need to store that primary account data at all. If you don't need it for your business model, why store it?