I always enjoy the Q/A sessions that the Council has at these events. I don’t know how many sessions I will be able to blog about (we only want the interesting ones anyway), but here’s the first bunch of Q/A from this session!
The first question was around segmentation and SANs. I’d never heard the question asked that way, but most SANs by nature are segmented from each other.
The more interesting point here is what constitutes segmentation? So many assessors only consider firewalls a method of segmentation. According to the documentation provided by the council, segmentation can be accomplished in multiple ways–not just by deploying firewalls. QSAs should be looking at the whole solution, not just fixating on a point solution (hey, sound familiar from a remediation perspective?).
Second question was on sampling… another issue that often comes up. The new version of the standard says to use a representative sample (they used to use the term selective sample), but since the samples are not statistically valid, it makes choosing a sample a bit of a gut feel. You will see variance between QSAs here as we all seem to have a different opinion on what constitutes a representative sample.
Then a question was posed on a move to use standardized solutions. The recent push with the standard is to remove specific products and technologies which is the right way to go (by the way, that is called being vendor neutral, not vendor agnostic). The point was really geared towards small companies that may be looking to buy pre-packaged solutions as opposed to designing their own. I feel their pain; vendors often pitch silver bullet solutions that do not work together very well.
The next question was a cleverly disguised sales pitch. Don’t do that. Seriously.
Ahh, my nemesis just asked a question. Guess what question he asked? “Can you make a statement that says you don’t have to store cardholder data?” It’s in there bud, just take a look. I’ll re-iterate for you in case you don’t want to search:
Merchants are not required to store cardholder data. Every merchant we have worked with has been able to get their acquirers to accept truncated numbers for chargebacks (or other post-settlement operations). I know that people still believe that the associations require merchants to store data because I had a discussion with a CISO on this issue recently. It would be great if you could stop spreading mis-information.
On the other hand, you do make writing this blog interesting…
The next several questions are nothing that has not been answered before, mostly around scope creep issues.
Back to segmentation, and this one was a customer specific question from a QSA! The old “I have a client that…”
So there you have it! Lots of similar questions from the US PCI meeting.
Possibly Related Posts:
- PCI DSS 4.0 Released plus BOOK DETAILS!
- PCI Council Loses $600K in Revenue, PO Population on the Decline
- Why PCI DSS 4.0 Needs to be a Complete Rewrite
- Orfei Steps Down
- Should you be a PCI Participating Organization?