This is page 2 of:
Why PCI Doesn’t Get Easier the Second (or Fourth) Time Around
It can be like starting over each year. On a related note, software applications can go out of date, too. Applications that were PA-DSS validated years ago may be past their PCI “sell by” date, meaning they are no longer acceptable for new implementations. Even existing implementations of the older versions may be so old they are no longer supported, and these must be replaced or upgraded. The same holds true for system software.
Compensating controls that were acceptable in the past might not be so today. For example, recent experience may cause a retailer’s acquirer (or QSA) to reassess last year’s compensating control. Sometimes the PCI Council will issue additional guidance based on its assessment of recent attack vectors. Alternatively, with some technology costs coming down, the business justification for a compensating control may no longer exist. Either situation can mean reassessing the compensating control or even abandoning it altogether.
The biggest source of change, though, is likely to be in the merchant’s or processor’s own environment. In the year between assessments, retailers have likely added staff, user accounts and stores, and/or changed the organization. Communications networks evolve and expand, and new routers and firewalls are added. Each of these events means the assessor (internal or external) needs to revalidate the scope of the assessment, in addition to updating internal documents and procedures. All of this takes time.
I should point out that changing the PCI compliance team will also impact the time and effort it takes to validate compliance. Having a new QSA or internal PCI leader can put a merchant back at square one as far as the assessment goes. If the QSA is new, he or she has to learn the merchant’s environment, and this person may have different opinions than his or her predecessor on what is or is not compliant. Similarly, if the internal PCI leader is new, that person may lack the PCI knowledge, internal operational experience and/or organizational clout to get the evidence needed to validate compliance more efficiently than in the previous year.
A number of PCI requirements need attention throughout the course of the year—for example, six-month firewall rule reviews, quarterly internal and external vulnerability scans, installing security patches, updating antivirus software and daily log reviews. If a merchant has changed its internal PCI coordinator, documenting all of these activities will take as much time and effort this year as it took last year. This assumes all the activities actually took place, and the merchant and assessor don’t have to scramble to develop compensating controls for things like missed scans or security awareness training.
In my mind, the biggest single reason compliance doesn’t get easier with each passing year is that the merchant’s own environment changes. Retailers and processors add new business lines, add and reassign staff, reconfigure their networks, expand or add databases, update firewalls and add or change any number of third-party relationships. With each change comes a potential change in PCI scope that has to be reflected in the assessment.
What do you think? I’d like to hear your thoughts. Does PCI compliance get easier each year? Either leave a comment or E-mail me at wconway@403labs.com.
Cards issued by European banks when used online cross border don't usually support AVS checks. So, when a European card is used with a billing address that's in the US, an ecom merchant wouldn't necessarily know that the shipping zip code doesn't match the billing code.
-Marc
