There have been several discussions around the cooler and the web on what it takes to become a MasterCard assessor under PCI DSS. The folks that undertake this journey must climb to mountains of standards and requirements. Having steered a mid-sized company through this process I will share the basic hurdles and requirements. In addition I will address some of the recent criticism, and hope that others will add their experiences to the discussion.
To become a MasterCard Assessor a company must travel to the MasterCard SDP website and review the documents. Once all the legal jazz is complete, a monetary contribution is required. These amounts can be attributed to many internal costs at MasterCard (maintaining the program, the site, the assessor testing platforms, communication, legal fees for reviewing dozens of contracts), but my favorite (hypothesized) reason is to keep the unsophisticated companies out of the list. By keeping those smallest shops, MasterCard and VISA are able to require at least a modicum of an established professional organization for those that wish to conduct these services.
So, once the dues are paid the assessor (under MasterCard) is given a target environment to audit. The assessor is expected to treat this engagement as one of the hundreds they will perform for their clients. The intent here is to validate the assessor’s competence in delivering these services, and completeness in meeting the requirements of PCI DSS. From experience however, there have been reports of companies assigning their leading penetration testers on the task, and then switching to their automated systems once they are certified. Assuming the organization does pass the test they are granted a certification number, and must provide this on every report they deliver. Having gone through this certification I can vouch that a simple Nessus scan will not qualify a vendor. Anyone have different experiences? We had to establish an automated system that merged a Nessus scan with a Retina scan w/ SPI and THEN had a real person evaluate the results and do some final validation for the client facing report.
From there the accredited assessor now can market and attract clients under the PCI DSS umbrella. They may deliver a single quarter or lock in the client for many years. The greatest responsibility the assessor has is ensuring the client is providing ALL the applicable IP addresses that are to be audited. This is critical because if they do not provide them all or the assessor does not adequately discover the total assets – the contract has been breached. As a result, the client is non-compliant and susceptible to a false sense of security and hacking attacks (which then hit the consumers wallet). In addition, the assessor is liable for the shoddy work that was delivered based on the terms of the contract. The assessor’s risk is very high and at the mercy of the client in this case.
So there are some good and bad points from the point of view of the client and the auditor. A few tips (it is not all doom and gloom – it IS Friday after all):
Client (Merchant-Service Provider required to be compliant):
– Qualify the assessors before signing a multi-year contract (as the client you have a duty to evaluate the parties that are conducting this work)
Remember: long-term contracts are cheaper $$, but may cause complacency
– Lowest bid is not the best. You want to Optimize and not Maximize (Optimize the value through service and quality, while not maximizing or reaching burdensome control validations)
– Fully evaluate your environment and identify all external entry points (this should include partners, service providers, vendors, holding companies, etc…)
– Once the due diligence is complete on the entire external environment, determine where the card holder data passes and then be sure these are provided to the assessor.
– Maintain control over the environment. As the environments change, grow, merge, and divest new in-scope IP addresses will exist. It is critical to ensure a central repository of up to date IP addresses are maintained.
– Conduct independent diligence on the client and identify all the IP address blocks the organization and its affiliates possess. This can easily be done with online WHOIS services
– Provide client with exploratory questionnaire (are they using third parties?) to fully determine the possible external points in-scope
– Have client certify that the final list (including the discovered IP addresses) are owned, in-scope, and may be audited
– Encourage transparency in the process (the intent of PCI DSS is to improve the security and not operate a black box service). The client will be better off and your relationship will too.
Overall it is the responsibility of all the parties to demand quality. Even-though some organizations may be delivering low quality work today, the communication vehicles are in place to discover these individuals. As such, those who commit fraud during their accreditation will be discovered, and are exposing themselves to heavy liabilities for those that they are “certifiying”.
James DeLuccia IV