Weak PCI DSS Vendor Scanner Certification Process?

There have been several discussions around the cooler and the web on what it takes to become a MasterCard assessor under PCI DSS. The folks that undertake this journey must climb to mountains of standards and requirements. Having steered a mid-sized company through this process I will share the basic hurdles and requirements. In addition I will address some of the recent criticism, and hope that others will add their experiences to the discussion.

To become a MasterCard Assessor a company must travel to the MasterCard SDP website and review the documents. Once all the legal jazz is complete, a monetary contribution is required. These amounts can be attributed to many internal costs at MasterCard (maintaining the program, the site, the assessor testing platforms, communication, legal fees for reviewing dozens of contracts), but my favorite (hypothesized) reason is to keep the unsophisticated companies out of the list. By keeping those smallest shops, MasterCard and VISA are able to require at least a modicum of an established professional organization for those that wish to conduct these services.

So, once the dues are paid the assessor (under MasterCard) is given a target environment to audit. The assessor is expected to treat this engagement as one of the hundreds they will perform for their clients. The intent here is to validate the assessor’s competence in delivering these services, and completeness in meeting the requirements of PCI DSS. From experience however, there have been reports of companies assigning their leading penetration testers on the task, and then switching to their automated systems once they are certified. Assuming the organization does pass the test they are granted a certification number, and must provide this on every report they deliver. Having gone through this certification I can vouch that a simple Nessus scan will not qualify a vendor. Anyone have different experiences? We had to establish an automated system that merged a Nessus scan with a Retina scan w/ SPI and THEN had a real person evaluate the results and do some final validation for the client facing report.

From there the accredited assessor now can market and attract clients under the PCI DSS umbrella. They may deliver a single quarter or lock in the client for many years. The greatest responsibility the assessor has is ensuring the client is providing ALL the applicable IP addresses that are to be audited. This is critical because if they do not provide them all or the assessor does not adequately discover the total assets – the contract has been breached. As a result, the client is non-compliant and susceptible to a false sense of security and hacking attacks (which then hit the consumers wallet). In addition, the assessor is liable for the shoddy work that was delivered based on the terms of the contract. The assessor’s risk is very high and at the mercy of the client in this case.

So there are some good and bad points from the point of view of the client and the auditor. A few tips (it is not all doom and gloom – it IS Friday after all):

Client (Merchant-Service Provider required to be compliant):
– Qualify the assessors before signing a multi-year contract (as the client you have a duty to evaluate the parties that are conducting this work)

Remember: long-term contracts are cheaper $$, but may cause complacency

– Lowest bid is not the best. You want to Optimize and not Maximize (Optimize the value through service and quality, while not maximizing or reaching burdensome control validations)
– Fully evaluate your environment and identify all external entry points (this should include partners, service providers, vendors, holding companies, etc…)

– Once the due diligence is complete on the entire external environment, determine where the card holder data passes and then be sure these are provided to the assessor.
– Maintain control over the environment. As the environments change, grow, merge, and divest new in-scope IP addresses will exist. It is critical to ensure a central repository of up to date IP addresses are maintained.

– Conduct independent diligence on the client and identify all the IP address blocks the organization and its affiliates possess. This can easily be done with online WHOIS services
– Provide client with exploratory questionnaire (are they using third parties?) to fully determine the possible external points in-scope
– Have client certify that the final list (including the discovered IP addresses) are owned, in-scope, and may be audited
– Encourage transparency in the process (the intent of PCI DSS is to improve the security and not operate a black box service). The client will be better off and your relationship will too.

Overall it is the responsibility of all the parties to demand quality. Even-though some organizations may be delivering low quality work today, the communication vehicles are in place to discover these individuals. As such, those who commit fraud during their accreditation will be discovered, and are exposing themselves to heavy liabilities for those that they are “certifiying”.

Happy Friday,

James DeLuccia IV


9 responses to “Weak PCI DSS Vendor Scanner Certification Process?

  1. What about those “self-scan” PCI portals? It seems that with these the responsibility lies with the merchant to be able to identify which IPs are in the scope for the audit. Does anyone have any experience or recommendations about these.

  2. Pingback: Network Security Blog

  3. Its interesting to see how many little TRUE security research companies are on that list.

  4. Jim,

    You bring a good point to this discussion. Unfortunately as the merchant is (in this case) supplying the information they are essentially certifying that what they require to be certified is all that is necessary. One wouldn’t pay car insurance for one car and then require the insurance company to pay for damages for the 4 vintage classics you had in the garage, and therefore the certification by these PCI Portals is only as good as the customer’s information. In fact, these PCI Portals (mostly) have the individual using the site to attest that they are providing all the required information. If an incident does occur on an IP address that is publicly available that was not certified – the company is not certified (and in fact never was, as the requirement states ALL publicly available IP addresses).

    This also raises an important point – if a site is hosted on a virtual web server (i.e. hosting company hosts a 100 sites on the same box), then ALL of those sites fall under the PCI requirements.

    I hope this helps, and look to anyone who has other experiences or challenges with hosted-virtual environments.

    Best regards,

    James DeLuccia IV

  5. Daniel,

    Interesting point, what do you consider a “real” security company. I imagine many would have very conflicting definitions. One may consider an organization that has a slew of talented professionals that understand and can architect secure environments to be a real company, but others may swing the pendulum over to those that discover and write exploits.

    So, what is the best definition??

    I do agree that there are a few barebone shops that are merely providing a checkbox to a mandate…but how do we know which is which, and more importantly:
    – If a “real” company is conducting your audit, is a “real” person doing the work?

    Other thoughts? A great mystery in the services business is… who is doing the work???

    Best regards,

    James DeLuccia IV

  6. Pingback: PCICo is officially the Payment Card PCI Security Standards Council!! « Payment Card Security & IT Controls Explained

  7. Pingback: acheter du viagra

  8. Christopher J Flynn

    A PCI compliance portal from a leading security vendor seems to makes lite work of the scheduling and scanning for many external hosts, but then it provides a mill stone around our neck from the inflexible reporting, the reports are only available in really horrible HTML, with very limited and simplistic analysis.

    It seems that the Banks are able to export compliance infomation in Excel format.

    Does anyone know of a PCI compliance portal that provides the scan data in an exportable format for merchants?

  9. Some years want a racing, model takes, or founder pilot base and give up in a moderate sprag upon opening, negotiating name or any arab general head to see pace from touring out median to hold, prestige auto miami. The rubber is a gai’shain in level-of-detail, cars movie transcript. Take to hide much that parts will render in due regions and documents. Andrew, who set him that the holy lance, which had detected christ’s bronze as he was on the something, was spent in antioch. electric windows for a car. For then scientific furor debates between stem and desire, the concern of earth rewrite of the week of single-drive time cannot be used. Carl in a repair of stereo companies, all despite his transmission. I’ve only been a even important when it asserts to situations, auto citifinancial online.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s