The Liberal Assessee

If you are tasked with helping a company comply with PCI DSS without all the resources you need to do the job appropriately, you may end up taking a more liberal interpretation of the standard as a shortcut to compliance. Let me be frank: the only shortcut to compliance is to completely outsource your payment processing environment to someone else. It will cost you more money to process transactions which might be what you should spend on PCI Compliance anyway1.

2004 Election Map, by TheLawleys

Assessees become stage actors at this point in the conversation. I’ve seen some fairly silly controls argued with Oscar worthy passion. One particular example was a customer of mine that tried to convince me that the basic functionality of Redundant Array of Independent Disks (RAID) is a perfect compensating control for Requirement 3.4, protecting stored data. She argued that any single disk removed from a RAID-5 array would only contain fragments of data and would not yield any useful data to an attacker. While in some cases, she is correct, Requirement 3.4 is not trying to protect the physical security of cardholder data stored on a disk—Requirement 9 is. Let’s run this through the four tests from above and see what we come out with:

  1. RAID-5 as an algorithm does not meet the original intent and rigor of Requirement 3.4, mainly because there are no data protection mechanisms employed either via strong access controls or strong encryption.
  2. While this might provide a similar level of defense in the case of physical theft, it’s not equivalent. We’d be pushing our luck to call it similar.
  3. This is most definitely not above and beyond the other PCI requirements.
  4. Finally, RAID-5 as a data protection mechanism is not commensurate with the additional risk of not protecting the cardholder data.

One out of four is not good, and definitely does not meet the litmus test required to consider this a compensating control.

The Conservative Assessor

Assessors are just as guilty as assessees, but lean to the other extreme—especially when they do not understand the technology that enables an environment to function. This is increasingly common as the QSA community gets younger. More on that later.

Let’s say that an assessor does not fully understand networking technologies like 802.1q VLAN tagging and is presented with a problem that requires the creation of a separate management network to comply with PCI DSS. Let’s say the control being presented is a variation of our Telnet/SSH example from above. An assessor that does not understand how 802.1q works may suggest that in order to create this management network, each machine must have two dedicated network interface cards (NICs) that go to different physical switches. Now, if the targeted switching network can only be administered via Telnet, I might agree depending on the architecture of the network and how far the trunks go. But if the switching network isn’t the issue (maybe it’s a group of legacy routers), 802.1q might be perfectly acceptable with the proper configuration and controls.

Assessors are under tremendous pressure to get the full PCI DSS picture at a company in increasingly shorter amounts of time. Along with that, the PCI Security Standards Council requires any QSA to sign up for uncapped indemnity. That very clause has kept the Big Four out of QSA work, and recently other very large firms that see the risk as too great. Because of this, you can expect that inexperienced assessors are going to lean far to the conservative side.

This post originally appeared on BrandenWilliams.com.

  1. For more hot sports opinions on how we ended up in this situation, read this blog post. []