Categories ArchivesPCI

Seven Deadly Sins of a QSA (Part 13) standard

Sin #5 – The FNG The Flipping New Guy (FNG) causes havoc wherever he goes. He also goes by the Pimply-Faced Youth (PFY) in some circles, and is often labeled as having the talent to tame a lion, but the experience to raise a hamster. He’s the guy that just went to new QSA training, passed his test, and showed up to do some good, old-fashioned assessing! Three Days of Ground School One summer, well after I became a QSA, I earned my private pilot certificate. If you ask my wife, she will tell you she remembers me babbling all of these fantastic ((My word, not hers.)) bits of knowledge that I was learning every day, and passing the time in ...

Continue Reading

Visa Allows Non-US EMV Merchants to forego PCI Assessments standard

Interesting note from Visa yesterday. They have given non-US merchants an escape hatch (Visa Europe’s version is here and differs from the Visa Inc. version in several ways) for validating PCI DSS compliance annually if they meet four specific requirements: The merchant must have validated PCI DSS compliance previously or have submitted to Visa (via their acquirer) a defined remediation plan for achieving compliance based on a gap analysis. Visa Europe provides a separate procedure: Merchant must have: previously satisfied PCI DSS compliance validation by completing milestones 1-4 of the Payment Card Industry’s Prioritised Approach for PCI DSS OR have previously completed milestone 1 of the Payment Card Industry’s Prioritised Approach for PCI DSS and conducted a PCI DSS gap analysis against milestones ...

Continue Reading

Seven Deadly Sins of a QSA (Part 12) standard

How to Avoid the Buddied-Up QSA If you are lucky enough to have one, it’s hard to avoid his impact. It could get even worse if the guy is also drunk with executive-sponsored power. When I was a buddied-up QSA, I told those managers to get a meeting together with the executive and discuss the technical and business constraints they faced. I also instructed them to make sure they do their homework. Don’t whine, and don’t focus on why you shouldn’t meet her standard. Bring everything to the table that is required to meet the executive’s directive. This should include any capital expenditures like hardware, software, and costs of people time, as well as soft costs  such as lost productivity, ...

Continue Reading

Seven Deadly Sins of a QSA (Part 11) standard

Sin #4 – Buddying Up with an Executive Consulting is a people business. People buy knowledge, skills, and services delivered by other people. Unlike a product business, you can’t guarantee that each unit is exactly the same, even from the same person. And also unlike a product business, the consultant interfaces on a human level with various members of the executive staff. Strange things can happen when QSAs buddy up with executives. Let’s explore a situation near and dear to me. My Standard > PCI DSS Executives act different after someone suspects a security breach has happened on their watch. All of the sudden, they get religious and grow a tiny, beating security heart inside their otherwise empty chest. This ...

Continue Reading

Seven Deadly Sins of a QSA (Part 10) standard

How to Deal with a Power-Drunk QSA Above all, remember that he’s just a guy. He’s trying to do his job, just like you are trying to do yours. If you allow the situation to heat up, everyone will suffer. Play the game, work with the guy a little bit. Listen to what he has to say. Ask for suggestions on how you might meet the requirement in his eyes ((You may have to enable him further to diffuse the situation.)). Overall, he’s probably not a bad guy. Maybe he’s having a bad day and taking it out on you in an unprofessional manner, but that’s a bump in the road that can be overlooked. The first step is to remember ...

Continue Reading

Seven Deadly Sins of a QSA (Part 9) standard

Sin #3 – Drunk with Power QSAs are often in a position of perceived power.  They sometimes exhibit authoritarian behavior, often times enabled by the very people they are assessing. QSAs are just people. You are hiring them to evaluate your performance against a detailed set of requirements. They are not peace officers, and they are most definitely not auditors ((Although some may be CPAs.)). Smart companies will use this knowledge to their advantage and work the psychology of the situation. The Psychology of the Situation The QSA is acting in a position of authority based on his role in the assessment process, passing the QSA training class, and his education and experience. Individuals inside companies being assessed rarely know or ...

Continue Reading

Seven Deadly Sins of a QSA (Part 8) standard

The Role of the Acquirer Ultimately it is the Acquiring institution that must approve the compensating control. If you are like most companies, you most likely are dealing with more than one Acquiring institution, so remember, any control you propose should be approved by ALL of them before proceeding. Imagine the difficulty of getting your Visa/MasterCard acquirer to agree with American Express, and then Discover! It’s hard enough to get one institution to agree, but three? Consider this before you bet the farm on a flimsy compensating control that doesn’t solve the underlying problem. How to Avoid Compensating Control Chaos There is really only one way to avoid getting into a tug-of-war on compensating controls—don’t use them. Unfortunately, for most ...

Continue Reading

Seven Deadly Sins of a QSA (Part 7) standard

The Liberal Assessee If you are tasked with helping a company comply with PCI DSS without all the resources you need to do the job appropriately, you may end up taking a more liberal interpretation of the standard as a shortcut to compliance. Let me be frank: the only shortcut to compliance is to completely outsource your payment processing environment to someone else. It will cost you more money to process transactions which might be what you should spend on PCI Compliance anyway ((For more hot sports opinions on how we ended up in this situation, read this blog post.)). Assessees become stage actors at this point in the conversation. I’ve seen some fairly silly controls argued with Oscar worthy ...

Continue Reading

Seven Deadly Sins of a QSA (Part 6) standard

Sin #2 – Compensating Control Chaos Compensating controls are a challenging and somewhat confusing nuance to PCI DSS. In Chapter 12 of PCI Compliance: Understand and Implement Effective PCI Compliance I delve into this perceived “Get out of jail free” card. Many companies have found this a useful guide for creating compensating controls during their PCI DSS journey ((This chapter is freely available at our book’s website,http://www.pcicompliancebook.info/.)). Compensating controls are designed to allow companies to meet the controls laid out in PCI DSS in alternate ways. For example, a company that cannot put Secure SHell (SSH) on all of their routers and switches due to technical constraints may be able to do something different that would meet requirements for a ...

Continue Reading

Seven Deadly Sins of a QSA (Part 5) standard

How to Avoid a Made Up Requirement The only way to avoid a made up requirement is to ensure that there is material in the PCI DSS that supports a recommendation before a it’s made. There are two main areas where you can find information on how to handle strange situations—PCI DSS itself as well as the FAQ that can be found on the PCI Security Standards Council’s website. The “Navigating PCI DSS” series is also useful, but supplementary and cannot be assessed against. Any guidance taken from documents other than the PCI DSS should be written up as a compensating control where appropriate. Additional documentation such as Special Interest Group (SIG) whitepapers, do not indicate changes in the standard ...

Continue Reading

This is a unique website which will require a more modern browser to work!

Please upgrade today!