I’m Just the QSA, It’s not MY Report on Compliance!

If you have ever been on the receiving end of a PCI assessment, you had one of two reactions to the title. You said;

  1. “Yes it is, that’s what I hired you for!”, or;
  2. “Damned right it’s not yours, the QSA is only here to validate it.”

95% of you are likely in the first group, unless you had someone like me as your assessor. It is not the QSA’s report, it is yours, the QSA is only there to confirm that you have completed your parts of the Report on Compliance’s (RoC) Executive Summary (Sections 1 – 5) correctly, edited their own sections, and documented the validation results in Section 6 – Findings & Observations. Validation of evidence you provide, and for which you are entirely responsible.

A QSA will likely never know your environment as well as you, and if you don’t take FULL responsibility for the contents of your RoC it will be your organisation that it liable for any mistakes, not the QSA. You will also then have absolutely no remedy if you are breached, and your forensic investigation exposes significant differences between the RoC and reality. This is also why you should never, EVER, hide anything from your QSA.

PCI is too often seen as an audit (it’s an assessment), and the QSA an auditor (s/he’s an assessor) and volunteering information is considered a no-no. I have actually heard a client say; “But you didn’t ask me about that!” No matter how many times I’ve tried to explain that I’m a consultant first and there to help, that I can’t help if I don’t have all the information, AND that if I do find out that they’re hiding something from me any sampling they may have be awarded is now out the window, I would still have issues.

That’s one of the differences between clients who use their PCI budgets (and even manipulate their QSA to get MORE budget!) to spend on securing the business, and those who only care about achieving PCI compliance. The first type will spend far less in the long run, even if the process does take longer. Not only that, they will likely not only STAY compliant, they will have actually protected their business …their ENTIRE business.

Setting PCI compliance as the end goal is like telling your kids to aim for a C average in school, and even the Card Brands and the SSC themselves have only ever said the DSS is a “minimum set of security controls”. So why would a QSA, whom you have hopefully chosen well (see Selecting the Right QSA for Your Business), take any ownership in a process where the goal is almost never fit for purpose?

So anyone who thinks that the PCI assessment process is structured, formal, and conducted using well established parameters has never been through an assessment. Every good QSA does their own internal Risk Assessment from day 1, and based on their gut instinct, will determine whether or not validation sampling is even an option. If I don’t trust you, you stay at 100%.

Want to get some benefit from a PCI assessment?:

  1. Choose the right QSA
  2. Tell them EVERYTHING
  3. Take FULL ownership of both the process and the output

It’s your RoC, accept it.

PCI DSS v3.0: Service Provider Agreements (Req. 12.8.X)

There seems to be quite a bit of confusion about the ‘new’ requirements for service provider contracts. I say ‘new’ sarcastically because this should have been part of your vendor due diligence processes from the beginning.

From a merchant’s perspective, unless they have hired a QSA (or other PCI expert) to help define the service requirements and contractual obligation, it’s very difficult for them to ask the right questions. From a  service providers perspective, I’ve seen the gamut from complete ignorance of their obligations, to out-and-out lies in terms of what they are and are not providing.

The DSS v3.0 requirements of 12.8.X go a long way to resolve this, but not far enough in my opinion. The bottom line is that someone has to be responsible for each requirement, and there are only the following choices;

  1. SP agrees to be fully responsible for the requirement;
  2. SP agrees to be partially responsible, and;
  3. SP pushes the entire requirement back on you.

That’s it.

The above list is fairly obvious, but for the service provider’s clients the challenges are now twofold:

  1. If the service provider accepts full responsibility, are they PCI compliant for the service(s)?
  2. If they are only partially responsible, EXACTLY what part of the requirement is left?

Does the service provider need to be fully PCI compliant for you to achieve compliance? The answer is no, but if they are not, you have just doubled your assessment scope. Again, someone has to answer the questions, so if your service provider has not validated compliance for the services they are offering, you need to add them to your validation efforts.

As for the partial responsibility, that’s easy, get your service provider to tell you what they’re doing. For example;

DSS Req. #


Service Provider Responsibility Client Responsibility

Examine data-flow diagram and interview personnel to verify the diagram:

*  Shows all cardholder data flows across systems and networks.

*  Is kept current and updated as needed upon changes to the environment.

SP will provide initial diagrams in Visio format for the pre-production environment but will not own, manage, or keep up-to-date the data-flow diagrams post-production.

 This requirement is not part of SP PCI Report on Compliance dated [Mmm dd, yyyy]

Client must own, manage, and keep up-to-date all data-flow diagrams for inclusion into their own PCI compliance efforts once services have reached a production state.

You must repeat the above for EVERY requirement in the PCI DSS v3.0, then add this as an addendum or annex to your signed service contract. This applies not only for the services they are providing DIRECTLY, but the SP has a responsibility for any SUB-contractor they may bring in, and so on down the line.

Again, SOMEONE has to answer the questions!

However, let’s back up a bit and handle each DSS Requirement in turn:

12.8.1 Maintain a list of service providers

Easy, just maintain a list of Service Providers, with – at a minimum – the following detail;

  • Company Name
  • Service Description
  • Is [CONFIDENTIAL] Data Shared?
  • Regulatory Compliance Date
  • Status Verified By

12.8.2 Maintain a written agreement that includes an acknowledgement that the service providers are responsible for the security of cardholder data the service providers possess or otherwise store, process or transmit on behalf of the customer, or to the extent that they could impact the security of the customer’s cardholder data environment.

Even easier, they wrote it down for you!! Include – again, at a minimum – the language in red in your contracts. You will likely want significantly more than this as there is no declaration of LIABILITY, or even SLAs.

12.8.3 Ensure there is an established process for engaging service providers including proper due diligence prior to engagement.

If you don’t have robust vendor due diligence and vendor on-boarding/off-boarding processes you are really asking for trouble. For PCI services, if you have not ensured they are PCI compliant for the services they are providing AND you have the full details written into contact, then you have created a world of pain for yourself.

12.8.4 Maintain a program to monitor service providers’ PCI DSS compliance status at least annually.

Does this say anything about the service providers actually working towards PCI compliance? No, it doesn’t, so the status could be; “They will never achieve PCI compliance.” and this is good enough for PCI. This should NEVER be good enough for you.

12.8.5 Maintain information about which PCI DSS requirements are managed by each service provider, and which are managed by the entity.

This we’ve already covered, all you need is a table, like the above, of every PCI requirement handled by each of your service providers and their sub-contractors. Your QSA can then tell you precisely what is left for you to cover for full compliance.

Whether you’re assessing for the first time, or re-assessing under v3.0, you need to start these conversation with your service providers NOW, as while this may be simple, it is not easy.

Advice for Merchants:

  • Only choose PCI compliant service providers (start here; Visa Europe Merchant Agent List)
  • Only choose service providers who have already addressed 12.8.2 and 12.8.5 up-front. You should not have to ask for this from SP worth their salt
  • If you have existing SPs and don’t know where to start, hire a decent consultant who is familiar with the PCI DSS to help

Advice for Service Providers:

  • Get your responsibility mappings and your contract language sorted out now, BEFORE you are asked
  • If you need help, ask for it, ignorance is not an excuse your clients can accept, nor can the card schemes

Easy huh?

You’re Not the Best at Anything, Except…

Unless by some ridiculous twist of fate you’re Novak Djokovic, Lionel Messi, or Steven Hawking (and their like) reading this, you are not the best at anything. Perhaps like me, even if you had spent your entire life practicing one thing you still would not have been the best.

Nor do you have to be.

World-class talent is exceptionally rare, but we humans have the unfortunate habit of holding ourselves up to these unique few. How could we possibly come up anything other than short?

A single skill or talent (see Choice: Love What You Do, Or Love Doing What You’re Good At?), properly developed, can take you far …IF you’re very good. But it’s the combination of your skills and talents that will enable you to excel at a far greater array of life choices. No-one, I mean NO-ONE can be you better than you can.

The challenge is; Who ARE you? What are your skills, your talents, your likes, dislikes, even aspirations? A disturbingly large portion of us spend our whole lives without answers to these questions, and we die never having achieved a fraction of our potential. Not someone else’s opinion of our potential, but our own sense of happiness and self-worth. Our feeling of achievement for a life that made a positive difference. At least to someone.

We have all come across people we simply can’t believe haven’t been fired yet, and we have all met people we are amazed are not doing significantly better. In my mind they have both committed the same ‘crime'; they have failed to understand themselves. These examples came from different angles, but the results are the same; neither is doing what they should or could be doing with their lives.

While I absolutely believe you must leave this life with regrets (see A Life Without Regrets is a Life Without Mistakes) doing a poor job or never doing a great job should not be among them. Others can help, – and usually love to do so – but only you can choose the right path.

There is a good chance I can beat Djokovic at darts (and perhaps several other non-athletic sports), and I likely know a lot more about payments security than Hawking. We all make our OWN choices in life, I am where I am because of mine, so why should I ever compare myself to them? Or to anyone else for that matter.

No, I have no-where near their money or their fame, but if I was to compare my life by those standards I have a lot more issues to address first. I am very good at what I do, but equally important, I know when I’m out of my depth. Like most people, I will never know EVERYTHING I’m good at, but I am self-aware enough to know when I should keep something going, or let it go entirely.

I have no problem being fired for being too opinionated, I would very much object to being fired for incompetence, but they are both very much my own fault.

With self-awareness comes true personal accountability, only then can the regrets you have be the kind you want.

Do You KNOW What You’re Worth?

The following phrase occurred to me after conversations I’ve had in the last few weeks with two ex-colleagues who also now happen to be very good friends;

“If you don’t know what you don’t know, how can you ever be sure you know enough?”

Both find themselves in a similar position; both have progressed in their careers at their respective organisations, and both have very recently received a significant bump in responsibility and work load. Neither has EVER received the recognition they deserve, and they have not only replaced people on much higher salaries, but have dramatically improved things for their departments after taking over.

It’s very easy for me to rail on the senior management at those organisations about how they must show appreciation for their star performers – in both monetary terms, and the respect they have earned – but the fact remains that neither of these talented guys knows their true worth.

Yes, their senior management are idiots, they probably always have been, but if my friends had been paying attention they would be in a better position to negotiate. If they had been laying the right groundwork over the course of their careers, no promotion would have been offered without the corresponding upward review of their compensation packages.

And the thing is, I know exactly how they feel. After 12+ at my last organisation it was not until the last few years that I started to get it right. It took a further year after my departure for me to finally know my worth. The true value of my skill-set.

I also know exactly why it took this long; fear.

When I started a new career in my 30’s, I could not have known less about my chosen field of Information Security. My first two weeks as a Firewall Administrator consisted of my learning what a firewall was and faking my way to a couple of credentials. Over the next 5 years I worked my up to managing the department, which was then all taken away during a company merger. For the next 7 years I worked my way up from a brand new consultant to Director of 28 consultants across 14 time zones.

Yes, my compensation increased, but I very much doubt it was in-line with my market value. Why? Because I always doubted that I had learned enough in my career to have proven my value, to be worth more than my management were offering. Also, having spent so long at one place, my blind loyalty got in the way. I assumed I would be taken care of if gave it my all.

I could have gone on for years this same way, luckily any decisions were made for me. When I look back, I can see years of wasted time and misplaced loyalty, but if I’m really honest with myself, it was my own fear and laziness that really held me back. All I had to do was look around, have some conversations, and above all; stop being such a wuss.

I know it’s not as simple as I’m making out to be, we all have responsibilities (family, mortgage and so on…) but in the end, YOU are the one that sets your value, and if you’re not getting your due, YOU are the only one to blame. I had no choice in working this out, I was “laid-off”, but one of the most amazing upsides of a bad situation is that I’ll never be afraid again.

I know my worth, do you?

PCI From the Other Side: An Ex-QSA’s Worst Nightmare

Once again I have chosen a dramatic title to sucker you in, but seeing as it’s PCI related it’s never going to be even remotely exciting, but it may be of interest…

First; per the title, I’m not actually a QSA any more, but I have been in the trenches of PCI since before there were QSAs (anyone remember QDSPs?), so I am reasonably well qualified to write about it.

Second; by “PCI From the Other Side”, I mean that I recently found myself in a scenario where I was the one being assessed. The remainder of this blog is about that experience. It was truly eye-opening, and I hereby apologise to every client I’VE assessed over the last decade. I only now feel your pain.

The above apology aside, it’s not until you find yourself on the other side of the assessment fence that you can truly appreciate the challenges faced by those organisations with PCI obligations. I am both a PCI and Information Security expert, and even I had a hell of a time putting my current organisation thorough the process and I DESIGNED the infrastructure with compliance in mind!

My first challenge was finding a PCI compliant service provider (SP) who could handle the vast majority of the infrastructure and the security related processes. From configuration standards, to AV, to logging and monitoring I didn’t want to do anything in-house. I spoke to several service providers, for some of whom I was actually the one who had provided guidance in the design of their PCI services. Regardless, they were all SPECTACULARLY unhelpful, and if I, an expert, had this much difficultly, what chance does anyone else have?

Even Amazon Web Services does a better job than every SP to whom I spoke, and while AWS basically devolve almost every aspect of compliance back on the client, they at least break down the EXACT responsibilities for all parties against every single requirement in the DSS. Yes, PCI DSS v3.0 does a better job of making this a requirement, but it can still be very difficult to get the right information based on a vendor documentation and Attestation of Compliance (AoC). If you don’t ask the right questions, no SP seems anxious to provide them for you.

The second major challenge was the sheer volume of ‘paperwork’. Policies, Procedures and Standards make up roughly 35% of the PCI DSS requirements, and at least 47% of validation against all requirements involves review of some form of documentation, even if it’s just a screenshot.

As an assessor I would give my clients a spreadsheet that tells them what kind of document I need against any given requirement, for them to complete with the document THEY believe meets the intent of the Testing Procedure. For my QSA I went one stage further and mapped my policies and procedures (including Section numbers!) against the Report on Compliance v3.0 template itself.

Now these are Policies that I have mapped against the PCI DSS / ISO2700X/ CoBIT etc. and even sold them to several clients to help with their compliance efforts, yet it took ME several weeks to fine tune these policies to get them exactly where they needed to be. As for the Procedures and Standards, I had to create 24 separate documents to cover everything from Change Control to Vulnerability Management and I can tell you, this was NOT fun!

Like finding a Service Provider, I had a huge advantage over most people in charge of putting together their organisation’s documentation, and if this was the pain I went through, I do not want to begin to imagine the pain for anyone not an expert. [Note: The ‘paperwork’ is critical not just to PCI, but to security in general, and should NEVER be done with just compliance in mind!]

I have written too many blogs about the problems with the PCI DSS to harp on about them here, and there were far more issues I faced than you want to hear about. Needless to say, if the SSC really want to train new QSAs, they should throw out their entire curriculum and put them in the client’s shoes for a day.

95% of them would fail.

Who am I kidding, 95% of CURRENT QSAs would fail, I almost did!