PCI 1.2: Waives QSA Requirement, Specifies Shred Details

Written by Evan Schuman
October 2nd, 2008

When the PCI Council officially unveiled PCI 2.1 on Wednesday (Oct. 1), it included virtually no meaningful changes from what PCI had announced the key changes would be back in mid-August. But far from the mild tweak officials had described, the final PCI 1.2 version actually includes dozens of wording changes, most of which reflect technology changes since 1.1 was released two years ago.

The PCI Council issued its own quite comprehensive list of the changes, but for those who want to directly compare the official 1.1 version with the official 1.2 version, these links should do the trick.

The official version also didn’t address any of the missing elements that some have questioned PCI about. But 1.2 did make quite a few modernization changes, especially with language.

There were a handful of small procedural changes. PCI clarified that the destruction of printed material with card data had to not merely be destroyed; retailers now must "shred, incinerate, or pulp hardcopy materials so that cardholder data cannot be reconstructed." A good move to spell out.

Although saying that qualified professionals must do evaluations, it now specifically says that the tester is "not required to be a QSA or ASV."

Language changes, though, accounted for the overwhelming majority of the new changes. For example, "hackers" is gone, replaced with "malicious individuals."

That particular change I partially applaud. For far too long, the once prestigious term "hacker" has been muddied. The original term refers to an especially skillful, resourceful and creative programmer who can come up with a way to get a system to do virtually anything the company needs. As in "This is a tough one. Let’s get Joan to do it. She’s the best hacker we’ve got."

The consumer media quickly turned the term into one referencing a cyberthief. For abandoning the negative use of the word "hacker," PCI should be applauded. But the phrase "malicious individuals," although certainly an improvement, is not necessarily accurate. Professional cyberthieves may not be malicious at all, in that they have no intention of deliberately harmful or spiteful actions. Many are professionals just trying to make money, albeit illegally. (Think Fagin.) They’re crooks all right, but, as a writer, I’m not sure malicious is necessarily correct.

Another favorite language change was the PCI Council’s decision to weigh into that fun-filled PCI debate about whether the security evaluations done are "audits" or "assessments." Some have argued for assessments, suggesting that an audit is more intrusive and focused more on what is touched and opened and probed rather than what is asked. The council has changed all references to audits to assessments.

Here’s one that only writers will cheer for: The document changed references to "subsequent to authorization" to "after authorization." Or maybe this one: PCI changed "potential employees" to "potential employees prior to hire." (I guess all humans on the planet could be considered potential employees. With Microsoft, they don’t even have to limit themselves to humans.)

Wording changes reflecting modernization includes:

  • "Full magnetic stripe" became "Full track data from the magnetic stripe, magnetic stripe image on the chip or elsewhere."
  • "E-mail" became "end-user messaging technologies" (E-mail, instant messaging, chat)."
  • "Password" became "password or passphrase."

  • advertisement

    3 Comments | Read PCI 1.2: Waives QSA Requirement, Specifies Shred Details

    1. return Says:

      I think you may be mistaken with your “Although saying that qualified professionals must do evaluations, it now specifically says that the tester is “not required to be a QSA or ASV.” statement.

      QSAs are still required to perform the on-site assessment if the merchant is a Level 1 merchant.

      ASVs are still required to perform the quarterly external vulnerability assessment.

      Where QSAs or ASVs do not come into play, which has always been the case but is now explicitly written, is the internal vulnerability scan and the annual attack/penetration.

    2. Evan Schuman Says:

      Editor’s Note: Well, yes and sort of no and then a little more no.
      The “yes” is that you’re right. Saying that it spoke to who “must do evaluations” was regrettably vague. That said, the first “sort of no” is that the wording of the adopted version is not crystal clear that the liberalization is limited to “the internal vulnerability scan and the annual attack/penetration.”
      What PCI 1.2 11.3 says is that retailers must “Perform external and internal penetration testing at least once a year and after any significant infrastructure or application upgrade or modification (such as an operating system upgrade, a subnetwork added to the environment, or a web server added to the environment). These penetration tests must include network layer penetration tests and application-layer penetration tests.”
      In 11.3b, presumably in reference only to the tests just listed, it requires merchants to “verify that the test was performed by a qualified internal resource or qualified external third party, and if applicable, organizational independence of the tester exists (not required to be a QSA or ASV).”
      So, yes, saying that it applies to all evaluations was needlessly vague on our part.
      But I have a nit to pick on your comment that “QSAs are still required to perform the on-site assessment if the merchant is a Level 1 merchant.”
      As we reported late last year, Visa has been permitting some Level 1s to self-assess if Visa, the issuing bank and top brass of the retailer itself agree. Typically, it happens when a chain has been certified before and there’s no reason to suspect anything wrong.
      It’s not that common, but it does happen.

    3. return Says:

      Thanks for the link regarding Visa. I have heard of issuers offering this; however, if the other card brands do not permit it then a QSA will still be around.

      On the other note: I feel like v1.2 is pretty clear as it relates to the various scans in requirements 11.2 and 11.3.

      11.2 explicitly says that quarterly external vulnerability scans must be performed by an ASV. However if network infrastructure changes occur, as noted in 11.2, then this external scan can be performed by internal resources.

      11.2 also calls for the internal vulnerability scan where PCI states that it may be performed by internal resources or a third party.

      11.3b states that the attack/pen on both the network and application layers can be performed by a qualified internal resource or qualified external third party and states in the parenthesis that it is not required to be a QSA/ASV.

      Keep up the good work with the blog!


    StorefrontBacktalk delivers the latest retail technology news & analysis. Join more than 60,000 retail IT leaders who subscribe to our free weekly email. Sign up today!

    Most Recent Comments

    Why Did Gonzales Hackers Like European Cards So Much Better?

    I am still unclear about the core point here-- why higher value of European cards. Supply and demand, yes, makes sense. But the fact that the cards were chip and pin (EMV) should make them less valuable because that demonstrably reduces the ability to use them fraudulently. Did the author mean that the chip and pin cards could be used in a country where EMV is not implemented--the US--and this mis-match make it easier to us them since the issuing banks may not have as robust anti-fraud controls as non-EMV banks because they assumed EMV would do the fraud prevention for them Read more...
    Two possible reasons that I can think of and have seen in the past - 1) Cards issued by European banks when used online cross border don't usually support AVS checks. So, when a European card is used with a billing address that's in the US, an ecom merchant wouldn't necessarily know that the shipping zip code doesn't match the billing code. 2) Also, in offline chip countries the card determines whether or not a transaction is approved, not the issuer. In my experience, European issuers haven't developed the same checks on authorization requests as US issuers. So, these cards might be more valuable because they are more likely to get approved. Read more...
    A smart card slot in terminals doesn't mean there is a reader or that the reader is activated. Then, activated reader or not, the U.S. processors don't have apps certified or ready to load into those terminals to accept and process smart card transactions just yet. Don't get your card(t) before the terminal (horse). Read more...
    The marketplace does speak. More fraud capacity translates to higher value for the stolen data. Because nearly 100% of all US transactions are authorized online in real time, we have less fraud regardless of whether the card is Magstripe only or chip and PIn. Hence, $10 prices for US cards vs $25 for the European counterparts. Read more...
    @David True. The European cards have both an EMV chip AND a mag stripe. Europeans may generally use the chip for their transactions, but the insecure stripe remains vulnerable to skimming, whether it be from a false front on an ATM or a dishonest waiter with a handheld skimmer. If their stripe is skimmed, the track data can still be cloned and used fraudulently in the United States. If European banks only detect fraud from 9-5 GMT, that might explain why American criminals prefer them over American bank issued cards, who have fraud detection in place 24x7. Read more...

    Our apologies. Due to legal and security copyright issues, we can't facilitate the printing of Premium Content. If you absolutely need a hard copy, please contact customer service.