Thursday, March 03, 2011

RSA 2011 PCI Council Interview

Just like last year, I did this great interview with Bob Russo, the GM of PCI Council. There is no audio recording,  what follows below are my notes reviewed by the Council. Italic emphasis is added by me for additional clarity.

Q1. PCI DSS 2.0 is out. What do you think its impact is, so far?
We are just entering the implementation phase, but it seems like there is no major impact yet, it is definitely too early to say what the impact would be.
Using data discovery – merchants looking to confirm that PAN data does not exist outside of the defined PCI DSS scope - seem to be becoming more prominent and this seems to be a direct result of PCI DSS 2.0. Accidental exposure of cardholder data is a known risk. By identifying where the data truly resides first, through a tool or a methodology, should aid organizations in their assessment efforts and ongoing security.
By the way, despite moving to the longer three year process, we can still update the standard in between via errata mechanism [described hereadded by A.C.] or using additional guidance produced by the Council and SIGs. For example, if there is a new threat, we can issue additional guidance on how to deal with it within the framework of PCI DSS.
Q2. QSA assessment quality is said to be improving due to QSA QA. On the other hand, reports of many SAQs being “inaccurate” are fairly widespread. Is anything being done to improve SAQ quality at Level2 and smaller merchants?
Well, some merchants do “answer Yes to every question”- is that what you mean by inaccurate?! We see education as the answer to this. For example, there are plans for making SAQ easier to fill in– think about a TurboTax type model for SAQ – a wizard process for answering the pertinent SAQ questions and for presenting the right questions to the merchant in a logical order.
Education efforts can help a merchant understand that honest and accurate SAQ are for “their protection.” Everyone needs to include security in their daily process. The Council will seek to help by providing additional guidance on how to become more secure, comply with the Standards and how to validate that compliance. Some of this is being addressed with the new general Awareness Training we have launched, offering a high level overview of what PCI is and the role that every employee plays in keeping card holder data secure.
Q3. While we are on the SAQ theme, can anything be done to have more merchants stay compliant, not just get validated every year and then forget about PCI DSS until the next validation?
Definitely, more education is needed and we are trying to fill that vacuum, like with the Awareness Trainings we have rolled out. For example, educating merchants that PCI DSS is about data security – not checkbox compliance - is a big focus. Merchants also need to be reminded that they need to get secure and compliant and stay secure and compliant. It requires ongoing vigilance. Unfortunately, some merchants think that “PCI DSS is about a questionnaire and a scan” and this mentality needs to be addressed by educating merchants about data security.
Q4. Visa new EMV rules might make merchants in Europe and Asia care even less about payment data security. What do you think the impact of the new rules will be on PCI?
It is too early to tell at this stage as the rules were announced last week [first week of February 2011 – A.C.]. In essence though, this is a compliance or reporting issue. Nothing has changed for the Council or the standards. PCI DSS still remains the foundation for card security for all payment brands. Ecommerce merchants in those regions remain still must adhere to the PCI DSS even with the new rules. In essence, the new rules imply that the merchants do not need to continue validate compliance, however, we understand that the merchants still has to become and stay compliant, and have proof of that even before considering this program by that brand.
As far as we know, acquirers still plan to get their merchants compliant and validated, so “nothing has changed” for them in the new VISA program. Also, according to public information on the new program, acquirers can still be fined for non-compliance under the new rules as well. This should continue to lead them to get their merchants PCI compliant to reduce the risk of the acquiring bank.
It’s early to tell what merchants think and how they will react to this at this time.
Q5. Will PCI DSS ever move away from the model where the merchants are either compliant with the entire PCI or they are not? Isn’t it better if 100% of merchants implement 10 critical controls vs 10% of all merchants implement 100% of controls?
We are continuing to look at ways for merchants and others in the payment chain to reduce and minimize their card data environment. Some technologies can help, but only if done right. That is why we are putting so much effort in really scrutinizing these technologies to ensure that they are indeed effective, and under circumstances.
For those just starting their compliance journey, using the PCI milestones and Prioritized Approach [see here – A.C.] will also increase in the future. For example, in the new standards we suggest a risk based approach to compliance programs. Mitigate the biggest risks first and you are doing yourself a great favor and moving that much closer to compliance. As an example of this, updating requirement 6.2 to allow vulnerabilities to be ranked and prioritized according to risk. You will hear more from the Council about this in 2011.
Q6. Some QSAs (and merchants) still complain that “QSAs are subjective.” Will there be more prescriptive assessment procedures?
Compliance cannot be absolute and completely objective since merchant environments differ greatly. For example, look at compensating controls – they are an example of flexibility with working with the Standards.
If we get more rigid, and do not include flexibility within the Standard for compensating controls, more people will believe that PCI DSS is forcing them to do things “our way.” We think the current standard is at or close to a balance in this regard, allowing security and flexibility to protect card data within everyone’s own unique environment. People should feel free to ask the PCI Council if there is any doubt about a particular QSA decision.
The Council also receives details on QSA performance, outside of just merchants. We keep a close watch on this to ensure a consistent level of QSA performance. Also, merchants are not the only ones who can report bad QSAs to the Council. [I suspect, although I am not sure, that they are talking about other QSAs here – A.C.]
In addition, we hope that more organizations will take advantage of our Internal Security Assessor program to help their internal employees better understand the process of an external assessment and how to maintain a strong security program between assessments.
Q7. Does council plan to “certify” any other security technologies, like you do for ASV vulnerability scanning?
We do not currently have plans to do so. More guidance will likely be released on using technologies to help with PCI DSS compliance and data security. There are no plans to certify other security technologies in a manner similar to vulnerability scanning and ASVs.
Many technologies, such as possibly logging and log review, may get additional guidance in the future. While the DSS 2.0, added a sub-requirement for payment applications to support centralized logging [PA-DSS Requirement 4.4 – A.C.], it is a known area where many merchants are struggling and additional guidance could go a long way.
Q8. There is definitely a need for more scoping guidance, especially for complex environments, involving virtualization, cloud providers, 3rd party partners, etc. When will scoping SIG guidance be released?
PCI DSS 2.0 does recommend using data discovery for better scoping. We’ve reinforced that all locations and flows of cardholder data should be identified and documented to ensure accurate scoping of cardholder data environment. Merchants should not be guessing at what the scope is, but completely and objectively determine that scope. Simple scoping guidance is a challenge. It is difficult to create a single set of parameters that one can undertake to determine the scope of PCI applicability across a complex environment. It is an inherently complicated task.
However, we hope to provide some additional guidance on this process soon, perhaps, a few steps at a time to begin to help merchants better understand this process.
Possibly related notes:

Dr Anton Chuvakin