Early on in my career, I was assigned a PCI DSS assessment with a major sporting franchise. In one of the down moments that we had, I started to make conversation and try to get to know my client a little better. Sure, I was there to assess payment security, but it’s always nice to find common ground away from the office!
Through our conversation I learned that the gentleman enjoys gardening. I had singled out a moment that I could relate and start a more meaningful conversation. I was newly married and my wife’s ambitions were to have her own garden. I told him the story of how I built raised beds, hauled in dirt, all in an effort to please my new bride.
As my story progressed, I told the tale of the mythical zucchini, having missed its harvest at its peak only to come out a few days later to find it the size of my leg. At this, my client responded with these important words of advice:
“Jeff, as a gardener you should be checking your plants, watering, removing weeds, harvesting when the fruits and vegetables are ready. It’s okay if you see a weed and leave it; that’s your role as a steward of your labor. But if you are surprised by the weeds or fruits you find then you are not a gardener, you’re a passive observer.”
I’ve often thought back on that conversation and how that statement is so applicable to business as well, including efforts to assess payment security.
Tending to PCI
The role of your PCI Qualified Security Assessor (QSA) is to assess for compliance, not to audit you. There will always be findings during these types of security testing events; however, if you are surprised by the results of the assessment then you’re likely not fully tending to your PCI responsibility.
Your responsibility is to maintain a PCI compliance effort that effectively applies security controls for your business’s full compliance with the PCI Data Security Standard. If you are doing your job, you should not miss a quarterly scan or find out a month has passed since your last log review. While we always want to trust that things are happening, lift the leaves and move things around. Do not assume there is nothing there because that’s when you get surprised.
As an assessor I cannot tell you how many times I have heard the statement, “But last year….” I’ll let you fill in the blank. This statement often happens when there is a change in the standard or a change in assessors.
As you manage your risk, you should take a comprehensive view of your environment and be constantly reviewing those items that can potentially impact the security of your cardholder data environment, making any necessary alterations to address the risk. In today’s cyber world, threats are evolving at an exponential rate. Just because a control was sufficient to address a specific point of risk last year does not mean that it is sufficient today.
If an assessor comes into your environment and provides a punch list that takes you three months to resolve, I suggest your security program is not functioning. In one of my previous posts I denoted the importance of measuring and reporting on the efficacy of your security program; I would like to reiterate that.
Bringing Your Hard Work to Fruition
What I’ve discussed so far will help you be prepared for the day that your QSA arrives to conduct their assessment. Your QSA’s job will be to decide if the payment security controls implemented by your business meet the intent of each applicable requirement as defined by the PCI Council.
While the PCI DSS is very black and white, there is a bit of assessor’s discretion afforded to the QSA in relation to how the standard would apply to an organization. Therefore, your QSA will slightly alter the application of the standard, but they must still stay true to its intent for each IT environment.
Keep in mind that your QSA is not the arbitrator of risk, nor is it your place to accept the risk; both these items belong to your acquiring bank. The QSA’s role is to assess payment security according to the PCI DSS, advocate for you, and provide the necessary documentation that will give your customers and/or acquiring bank an accurate picture of your risk posture.
So, when it comes to your company’s PCI compliance, are you a gardener or a passive observer? Remember, it is just not enough to plant the seeds of compliance and come back months or even a year later expecting to be compliant. PCI compliance is an ongoing process that needs to be regularly tended to.
Want more QSA Assessment insights? Check out the helpful ControlScan white paper here.