PCI 1.2: Waives QSA Requirement, Specifies Shred Details
Written by Evan SchumanWhen the PCI Council officially unveiled PCI 2.1 on Wednesday (Oct. 1), it included virtually no meaningful changes from what PCI had announced the key changes would be back in mid-August. But far from the mild tweak officials had described, the final PCI 1.2 version actually includes dozens of wording changes, most of which reflect technology changes since 1.1 was released two years ago.
The PCI Council issued its own quite comprehensive list of the changes, but for those who want to directly compare the official 1.1 version with the official 1.2 version, these links should do the trick.
The official version also didn’t address any of the missing elements that some have questioned PCI about. But 1.2 did make quite a few modernization changes, especially with language.
There were a handful of small procedural changes. PCI clarified that the destruction of printed material with card data had to not merely be destroyed; retailers now must "shred, incinerate, or pulp hardcopy materials so that cardholder data cannot be reconstructed." A good move to spell out.
Although saying that qualified professionals must do evaluations, it now specifically says that the tester is "not required to be a QSA or ASV."
Language changes, though, accounted for the overwhelming majority of the new changes. For example, "hackers" is gone, replaced with "malicious individuals."
That particular change I partially applaud. For far too long, the once prestigious term "hacker" has been muddied. The original term refers to an especially skillful, resourceful and creative programmer who can come up with a way to get a system to do virtually anything the company needs. As in "This is a tough one. Let’s get Joan to do it. She’s the best hacker we’ve got."
The consumer media quickly turned the term into one referencing a cyberthief. For abandoning the negative use of the word "hacker," PCI should be applauded. But the phrase "malicious individuals," although certainly an improvement, is not necessarily accurate. Professional cyberthieves may not be malicious at all, in that they have no intention of deliberately harmful or spiteful actions. Many are professionals just trying to make money, albeit illegally. (Think Fagin.) They’re crooks all right, but, as a writer, I’m not sure malicious is necessarily correct.
Another favorite language change was the PCI Council’s decision to weigh into that fun-filled PCI debate about whether the security evaluations done are "audits" or "assessments." Some have argued for assessments, suggesting that an audit is more intrusive and focused more on what is touched and opened and probed rather than what is asked. The council has changed all references to audits to assessments.
Here’s one that only writers will cheer for: The document changed references to "subsequent to authorization" to "after authorization." Or maybe this one: PCI changed "potential employees" to "potential employees prior to hire." (I guess all humans on the planet could be considered potential employees. With Microsoft, they don’t even have to limit themselves to humans.)
Wording changes reflecting modernization includes:
-Marc
October 4th, 2008 at 9:03 am
I think you may be mistaken with your “Although saying that qualified professionals must do evaluations, it now specifically says that the tester is “not required to be a QSA or ASV.” statement.
QSAs are still required to perform the on-site assessment if the merchant is a Level 1 merchant.
ASVs are still required to perform the quarterly external vulnerability assessment.
Where QSAs or ASVs do not come into play, which has always been the case but is now explicitly written, is the internal vulnerability scan and the annual attack/penetration.
October 4th, 2008 at 11:08 am
Editor’s Note: Well, yes and sort of no and then a little more no.
The “yes” is that you’re right. Saying that it spoke to who “must do evaluations” was regrettably vague. That said, the first “sort of no” is that the wording of the adopted version is not crystal clear that the liberalization is limited to “the internal vulnerability scan and the annual attack/penetration.”
What PCI 1.2 11.3 says is that retailers must “Perform external and internal penetration testing at least once a year and after any significant infrastructure or application upgrade or modification (such as an operating system upgrade, a subnetwork added to the environment, or a web server added to the environment). These penetration tests must include network layer penetration tests and application-layer penetration tests.”
In 11.3b, presumably in reference only to the tests just listed, it requires merchants to “verify that the test was performed by a qualified internal resource or qualified external third party, and if applicable, organizational independence of the tester exists (not required to be a QSA or ASV).”
So, yes, saying that it applies to all evaluations was needlessly vague on our part.
But I have a nit to pick on your comment that “QSAs are still required to perform the on-site assessment if the merchant is a Level 1 merchant.”
As we reported late last year, Visa has been permitting some Level 1s to self-assess if Visa, the issuing bank and top brass of the retailer itself agree. Typically, it happens when a chain has been certified before and there’s no reason to suspect anything wrong.
It’s not that common, but it does happen.
October 4th, 2008 at 12:24 pm
Thanks for the link regarding Visa. I have heard of issuers offering this; however, if the other card brands do not permit it then a QSA will still be around.
On the other note: I feel like v1.2 is pretty clear as it relates to the various scans in requirements 11.2 and 11.3.
11.2 explicitly says that quarterly external vulnerability scans must be performed by an ASV. However if network infrastructure changes occur, as noted in 11.2, then this external scan can be performed by internal resources.
11.2 also calls for the internal vulnerability scan where PCI states that it may be performed by internal resources or a third party.
11.3b states that the attack/pen on both the network and application layers can be performed by a qualified internal resource or qualified external third party and states in the parenthesis that it is not required to be a QSA/ASV.
Keep up the good work with the blog!