What difference does it make?

July 26, 2010


As a major part of becoming and maintaining PCI compliance, organizations are tasked with performing routine/periodic tasks over the course of a year.  And during their annual PCI re-validation, the organization is required to provide evidence that these routine tasks have been performed. But what happens when the QSA determines that the organization did not keep up with their homework? How does it affect their PCI compliance?

Short answer….it doesn’t.

Merchants and service providers (SP) are required to perform the following routine tasks which a QSA then needs to validate as having been completed:

  • Daily review of audit logs
  • Quarterly internal vulnerability scans
  • Quarterly external vulnerability scans
  • Quarterly scans w/wireless analyzer
  • 6 month review of firewall/router rule sets
  • Annual risk assessment
  • Annual review/update of infosec policies
  • Annual internal penetration test
  • Annual external penetration test
  • Annual security awareness
  • Annual incident response test

Of course if this is an organization’s first attempt at compliance, they will be unable to provide a “year’s” worth of evidence that the above has been completed.  But, if this is not their first time around the PCI block, then the organization should be able to provide a year’s worth of evidence.  However, what happens when a merchant or SP missed a quarterly scan or it’s been over a year and they have yet to conduct IR testing?  One might think that they’ve missed their mark to be compliant for that year, and another year needs to go by.  But that is not the case. If an organization failed to meet a task, they are simply asked to promise (and mean it this time) in a strongly worded policy/procedure to have it done in the required timeframe next year.  As for the current assessment, the organization just needs to get it done and submitted to the QSA for review, even though it is outside of the task window. As long as it’s done sufficiently, the QSA has no choice but to mark it “In Place.”

What’s the point? I’d like to see a QSA that actually tells the organization, “Nope, you missed the annual window. You’ll have another chance to be PCI compliant next year.”  I know I am being harsh but where are the consequences for not taking these tasks seriously knowing they can just get it done after the fact?  Does a breach have to occur in which the card brands, jumping up and down, pointing their finger proclaiming that “at the time of the breach, the organization was not PCI compliant.”  By then it would be too late.  I think most of us can agree that the tasks identified are part of a comprehensive infosec security plan; however, I consider this is just another example as to why the PCI standard itself needs to be re-evaluated on how it is being applied.

Advertisements

One Response to “What difference does it make?”

  1. LonerVamp said

    I imagine this is just one of several dirty little secrets of PCI. 🙂

    And one I hope my mgmt doesn’t end up falling into…though fear they will. (Even if I schedule regular vuln scans, which I do, does someone look at and take action on them? …)

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: