New QA Review Toughens PCI Assessors

Written by Evan Schuman
October 15th, 2008

Guest Columnist David Taylor is the Founder of the PCI Knowledge Base, Research Director of the PCI Alliance and a former E-Commerce and Security analyst with Gartner.

The number one complaint that we hear in our research on the PCI standards is that they are "absolute"—that there is no recognition of differences in risk across the various controls and that this posture promotes a "checklist mentality" and ineffective implementation and enforcement.

But we see that changing with the 1.2 version. However, many merchants have done little to formalize their IT risk management process, and simplistic spreadsheets with arbitrary (or non-defensible) risk levels and a cute "stoplight" (i.e., red, yellow, green) summary are common. Beginning with PCI 1.2, merchants need to take IT risk management more seriously, because it can save them money. The ability to "prove" to an assessor or acquiring bank that controls are effective in reducing risk will be increasingly important in reducing PCI scope and costs.

Network segmentation is still not a requirement, for some reason, but it’s the single action that will save you the most money in the assessment. With the 1.2 version, there is increased focus on proving that the network segmentation is "adequate." A network diagram is required as well.

But, more importantly, a merchant needs to evaluate and quantify the risk associated with having a flat network, based on the number of access points and the ability to monitor and track this access. There are network monitoring tools that can tell you, continuously, of attempts to access specific network resources. Reports from these tools can quickly demonstrate to an assessor, acquirer or upper management the impact of different network segmentation schemes. This is one way to quantify risk and, thereby, to reduce PCI scope.

Store Sampling Process and Documentation. PCI 1.2 includes additional focus on sampling facilities outside headquarters. The goal of the sampling process is to understand the risks posed by the stores, because many security breaches originate there.

In this case, the key to reducing scope and assessment cost is being able to prove that store systems are configured consistently and any "gold load" configurations are followed. Just showing the assessor or acquirer a configuration document means little if the merchant cannot provide "reasonable assurance" that the configuration standards are being followed.

We have talked with many leading merchants who use configuration management tools. Even if they don’t have enough new servers each month to justify the cost of "automating" initial configuration, the ability to place server configuration under change control is valuable for both PCI requirement 2 and requirement 10. This is another case where the use of automated tools can reduce manual effort while also serving to document the configuration consistency. These tools can pay for themselves because they can be used to justify a smaller store sample size, which will reduce the costs of the PCI assessment.

Although merchants too often use compensating controls as a PCI cost-cutting technique, these controls are really the heart and soul of risk management relative to PCI. Compensating controls may only be used if they can reduce the risks posed by the absence of the required controls. Therefore, a weak process for documenting and quantifying risk usually shows up in poorly defined compensating controls. In turn, this can cause compliance failure and additional assessment and technology costs, because if you cannot prove your compensating control reduces the risk, you’ll have to (typically) pay to implement the required control.

There is increased focus and clarity in 1.2 regarding how to use compensating controls. For example, you must document how any compensating controls provide a "similar level of defense" and that they "sufficiently offset the risk" vis-�-vis the original control. One of the techniques for reducing cost and continuing to use compensating controls is to define a clear testing process for each control that is easy to review and objectively validated. This is another area where automated tools (e.g., for change management) can prove valuable in helping merchants provide ongoing validation for the risk reduction provided by each of the compensating controls, thus reducing costs.

Third Party/Outsourcing Risk. One area where IT risk management is typically weak is in how the risk of outsourcing and other uses of third parties is treated in the analysis. In the vast majority of cases, there is no risk analysis of the process of selecting third parties and little or no quantification of specific risk factors. There may be an overall "insource/outsource" analysis, but it is typically cost-driven or perfunctory to justify a decision post hoc.

In PCI 1.2, there is specific mention of the need to prove due diligence as to risk "prior to engaging" a service provider and the need to prove ongoing "monitoring" of compliance status. To prove this to an assessor, you may be able to get away with a simple "stoplight" style analysis.

But to properly manage and monitor these third parties, some form of data collection needs to take place. Meeting the "monitoring" requirement can almost certainly be done with anything from a simple online (or E-mailed) questionnaire to a requirement to submit IP scan results or other automated reporting.

Although the requirement does not say it explicitly, this should be done more often than once a year. Automated monitoring (of any sort) is certainly less costly than doing facility visits and it provides a better risk-based justification, particularly if there should be any problems, such as a breach.

The "Risk Sensitivity" of Assessors and Acquirers. Merchants have often complained that assessors are not aware of, or sensitive to, real IT risk. After speaking with many assessors and those who train them, we’ve heard clearly that assessors are being trained to be more sensitive to proven risk. As a result, being able to prove to an assessor that you understand, and can quantify, your risks is the best way to win over an assessor.

This is even more of an issue with working with your acquirer. Financial institutions are more "risk focused" than merchants. Compliance officers have told us that they want to see a risk management process in place that provides clear quantification and evidence that the merchants understand their IT risks, particularly relative to credit card data. In short, the ability to prove to an acquirer or assessor, through the use of objective, automated tools (if possible) the impact of specific controls (or compensating controls) is key to winning arguments and, therefore, to reducing compliance costs.

If you have a question about PCI 1.2, you can ask the PCI Knowledge Base panel of more than 75 PCI experts in our discussion forums. Also, if you’re a retailer, we want to get you involved in the PCI Best Practices study we’re doing with the National Retail Federation. It’s 100 percent anonymous. Just send us an E-mail at


Comments are closed.


StorefrontBacktalk delivers the latest retail technology news & analysis. Join more than 60,000 retail IT leaders who subscribe to our free weekly email. Sign up today!

Most Recent Comments

Why Did Gonzales Hackers Like European Cards So Much Better?

I am still unclear about the core point here-- why higher value of European cards. Supply and demand, yes, makes sense. But the fact that the cards were chip and pin (EMV) should make them less valuable because that demonstrably reduces the ability to use them fraudulently. Did the author mean that the chip and pin cards could be used in a country where EMV is not implemented--the US--and this mis-match make it easier to us them since the issuing banks may not have as robust anti-fraud controls as non-EMV banks because they assumed EMV would do the fraud prevention for them Read more...
Two possible reasons that I can think of and have seen in the past - 1) Cards issued by European banks when used online cross border don't usually support AVS checks. So, when a European card is used with a billing address that's in the US, an ecom merchant wouldn't necessarily know that the shipping zip code doesn't match the billing code. 2) Also, in offline chip countries the card determines whether or not a transaction is approved, not the issuer. In my experience, European issuers haven't developed the same checks on authorization requests as US issuers. So, these cards might be more valuable because they are more likely to get approved. Read more...
A smart card slot in terminals doesn't mean there is a reader or that the reader is activated. Then, activated reader or not, the U.S. processors don't have apps certified or ready to load into those terminals to accept and process smart card transactions just yet. Don't get your card(t) before the terminal (horse). Read more...
The marketplace does speak. More fraud capacity translates to higher value for the stolen data. Because nearly 100% of all US transactions are authorized online in real time, we have less fraud regardless of whether the card is Magstripe only or chip and PIn. Hence, $10 prices for US cards vs $25 for the European counterparts. Read more...
@David True. The European cards have both an EMV chip AND a mag stripe. Europeans may generally use the chip for their transactions, but the insecure stripe remains vulnerable to skimming, whether it be from a false front on an ATM or a dishonest waiter with a handheld skimmer. If their stripe is skimmed, the track data can still be cloned and used fraudulently in the United States. If European banks only detect fraud from 9-5 GMT, that might explain why American criminals prefer them over American bank issued cards, who have fraud detection in place 24x7. Read more...

Our apologies. Due to legal and security copyright issues, we can't facilitate the printing of Premium Content. If you absolutely need a hard copy, please contact customer service.