Weak PCI DSS Vendor Scanner Certification Process?

There have been several discussions around the cooler and the web on what it takes to become a MasterCard assessor under PCI DSS. The folks that undertake this journey must climb to mountains of standards and requirements. Having steered a mid-sized company through this process I will share the basic hurdles and requirements. In addition I will address some of the recent criticism, and hope that others will add their experiences to the discussion.

To become a MasterCard Assessor a company must travel to the MasterCard SDP website and review the documents. Once all the legal jazz is complete, a monetary contribution is required. These amounts can be attributed to many internal costs at MasterCard (maintaining the program, the site, the assessor testing platforms, communication, legal fees for reviewing dozens of contracts), but my favorite (hypothesized) reason is to keep the unsophisticated companies out of the list. By keeping those smallest shops, MasterCard and VISA are able to require at least a modicum of an established professional organization for those that wish to conduct these services.

So, once the dues are paid the assessor (under MasterCard) is given a target environment to audit. The assessor is expected to treat this engagement as one of the hundreds they will perform for their clients. The intent here is to validate the assessor’s competence in delivering these services, and completeness in meeting the requirements of PCI DSS. From experience however, there have been reports of companies assigning their leading penetration testers on the task, and then switching to their automated systems once they are certified. Assuming the organization does pass the test they are granted a certification number, and must provide this on every report they deliver. Having gone through this certification I can vouch that a simple Nessus scan will not qualify a vendor. Anyone have different experiences? We had to establish an automated system that merged a Nessus scan with a Retina scan w/ SPI and THEN had a real person evaluate the results and do some final validation for the client facing report.

From there the accredited assessor now can market and attract clients under the PCI DSS umbrella. They may deliver a single quarter or lock in the client for many years. The greatest responsibility the assessor has is ensuring the client is providing ALL the applicable IP addresses that are to be audited. This is critical because if they do not provide them all or the assessor does not adequately discover the total assets – the contract has been breached. As a result, the client is non-compliant and susceptible to a false sense of security and hacking attacks (which then hit the consumers wallet). In addition, the assessor is liable for the shoddy work that was delivered based on the terms of the contract. The assessor’s risk is very high and at the mercy of the client in this case.

So there are some good and bad points from the point of view of the client and the auditor. A few tips (it is not all doom and gloom – it IS Friday after all):

Client (Merchant-Service Provider required to be compliant):
- Qualify the assessors before signing a multi-year contract (as the client you have a duty to evaluate the parties that are conducting this work)

Remember: long-term contracts are cheaper $$, but may cause complacency

- Lowest bid is not the best. You want to Optimize and not Maximize (Optimize the value through service and quality, while not maximizing or reaching burdensome control validations)
- Fully evaluate your environment and identify all external entry points (this should include partners, service providers, vendors, holding companies, etc…)

- Once the due diligence is complete on the entire external environment, determine where the card holder data passes and then be sure these are provided to the assessor.
- Maintain control over the environment. As the environments change, grow, merge, and divest new in-scope IP addresses will exist. It is critical to ensure a central repository of up to date IP addresses are maintained.

Assessor:
- Conduct independent diligence on the client and identify all the IP address blocks the organization and its affiliates possess. This can easily be done with online WHOIS services
- Provide client with exploratory questionnaire (are they using third parties?) to fully determine the possible external points in-scope
- Have client certify that the final list (including the discovered IP addresses) are owned, in-scope, and may be audited
- Encourage transparency in the process (the intent of PCI DSS is to improve the security and not operate a black box service). The client will be better off and your relationship will too.

Overall it is the responsibility of all the parties to demand quality. Even-though some organizations may be delivering low quality work today, the communication vehicles are in place to discover these individuals. As such, those who commit fraud during their accreditation will be discovered, and are exposing themselves to heavy liabilities for those that they are “certifiying”.

Happy Friday,

James DeLuccia IV

78% Merchants don’t know.. and institutions don’t care about PCI DSS.

22% of the major retailers (approximately 290 in the United States) are PCI DSS compliant, and 78% on track to being compliant. This figure, as appropriately highlighted and restated several times on other news sties, is ignorant of the mid-tier merchants and the service providers. These two groups alone represent a far scarier multiple of sources of attacks. Unfortunately, there is still some hub-bub about Merchant CEOs, industry analysts, and certain VISA assessors that feel that the standard is not clear or is not being applied prudently to encourage complete adoption.

The trappings of forming a standard are numerous, and one is the inconsistent policing and monitoring. Anything that isn’t measured is not done, and in the IT Controls world this is no different. At present, assessors are pitching their services to companies that are responsible for meeting the mandates set forth by PCI DSS. Too much the assessors are screaming and shouting FUD (fear uncertainty and doubt) via marketing and sales tactics. This is a terrible means of communicating a standard that was designed to reduce the costs of fraud and injury to the payment card network (both the consumer and the providers). Unfortunately due to a lack of communication throughout the network many of those that should be PCI DSS compliant do not even know what it means. This was found to be true at this year’s Payment Card Industry Conference in Las Vegas, where less than 40% knew what PCI DSS represented. The positive side of this survey showed that the majority, greater than 70%, considered IT Controls & Security to be of paramount importance.

So, we know that the merchant-providers have the desire and will to put in place strong security and protect their clients, but seem to be unaware of the relevant standard of PCI DSS. (Relevant Standard – is an important distinction to how the rest of the world is managing IT Controls, because PCI DSS was made by those in the payment card industry for those in the payment card industry the standard speaks directly to the real risks and threats that exist. This is of course not the case when compared to SOX-COSO, HIPAA-it’s own arbitrary standard, ITIL- for everything else in the world.) The break in communication is not with the card companies (VISA, MASTERCARD, AMEX, etc…), as they have dedicated portions of the website, teams, training, roadshows, web casts, blogs, analysts, and a number of media outlets that are being paid to publish articles on this standard.

The break in communication is simply an economic one once we consider how liability and fines. If a break occurs at X merchant, VISA and Company will each issue fines. Their fines however are not to the merchant, but in fact are (this is an example and not absolute and there will certainly be variations) placed upon the institution that handles or issued that Merchants cards. It is up to the institution to then pass along the fine to the merchant. Now the institution is in quite the position – pass the fine along and risk losing their business at renewal, or absorb the fine as a cost of doing business with the merchant. This depends on the volume of business occurring from Merchant X. So, big merchants don’t pay fines? More importantly, if the institution feels there is greater value in absorbing the cost as part of business, was this risk calculation done for mid-tier merchants? Those that could not absorb such a fine without going out of business?

In reality – the institutions have the responsibility and know the merchants-providers that need to comply with PCI DSS. Unfortunately, it is contrary to the institutions business to fine or trouble their clients with fines that are not always delivered. In an interview a VISA spokesperson states that they had not issued as many fines as should have been – this is clearly true since 78% have not been compliant, and should be fined as much as a year and a half ago.

A bit of a rant, but looking into the confusion one can only imagine the state of those who are trying to commit change in their organization to meet PCI DSS and realize the amount of resistance they are hitting against.

Busy Busy Busy…

Not only have I been lax in providing updates to the hundreds of visitors I receive, it seems that the industry itself has decided to launch a volley of information. To make these recent news releases more interesting, there has also been some contradictory articles posted to add a bit of humor and added enjoyment to our morning RSS feeds. Enough of the chit-chat, I will breakdown the latest and greatest updates in the next few posts, and try and link as accurately as possible to avoid reworking or restating what others have so thoughtfully put together.

Firstly, as I stated several weeks ago a new set of levels would be released for Merchants and it has. Please see www.visa.com/cisp for the new merchant levels. They are as we described before, a clearer set of guidelines that eliminates the difference between digital and in-person transactions. Newsire, and GreenPage both have articles describing the level changes. It is stated that this will only affect around 2,000 total merchants (some going up and others going down). This will require more quarterly remote certifications for merchants.

The important take away for Merchants, Service Providers, and just about anybody else that touches cardholder data is that adopting and embracing these security standards is a good and sensible plan that supports corporate governance objectives. All executives should realize that adoption of PCI DSS provides them the necessary comfort on their financial reports (SOX), and their external / internal auditors should be requiring immediate if not progressive adoption to safeguard the critical infrastructure.