Watch to learn how to prepare for PCI DSS 4.0 implementation and what PCI v4.0 requirements could be challenging to implement.
Watch SecurityMetrics VP of Assessments, Gary Glover, and BT Group Senior Manager ISSCA Consultancy Services, Simon Turner, discuss:
This webinar was given on January 13, 2023.
Alright, everyone. Thank you for coming today. Welcome to our webinar on, kind of a PCI four o transition with British Telecom. Just a little bit about myself. I've been, as a QSA working for about eighteen years now, and I've had the pleasure of getting to know my guest today over those past years. And, today, we have, Simon turn Turner here from British Telecom, and he's gonna be talking about, their transition efforts to PCI DSS four o. Simon has been working in this industry for ten years, but actually, supporting PCI compliance since about two thousand six.
He has worked at Citibank doing vulnerability management, maintaining systems, processing PCI data.
Simon and I have been on a number of panels over the years together and, participate in various council task forces.
And, British Telecom works with a really great QSA company that I have a lot of respect for, and I appreciate him taking some time, with us, today to be with us for this webinar. So did I say everything right, Simon? Did I miss anything? Yeah.
That's Thanks for inviting me. Pleasure to talk to you.
Right. And this is, you know, this is one of those hour morning, Simon's afternoon podcast or web webinars. So he's finishing his day. We're just getting started here. Appreciate everybody being with us. So, Simon, if you had to just to kinda get off as we start talking about this, how what is one of the main takeaway statement? If you were to make one, what would it be right now?
I think for me, no matter what size of organization you are, you can't put it off. You've you need you need to at least pick up the paperwork and have a look at it and have a good read and think about what it is you need to do. Obviously, different size of organization can make things happen in the different speeds. And then if a a large organization like BT, it's certainly gonna take me longer than some small merchant who's just operating a a small payment environment.
Right.
Well, good. Well, we're gonna talk more about that, but there's kind of a good sum up.
Over this past year, I think, British Telecom has decided to go kind of the direction towards four dot o sooner rather than later, sounds like, from our discussion, Simon. What kind of things Yeah. Are you are you guys working on? How has that transition been starting off? And and, maybe you could just kinda let us know about that effort a little bit.
Yeah. No. Thanks. So, I mean, Beatty is a large organization. We're a very regulated, organization.
Obviously, PCR is not regulated, it's more contracted but, you know, there are boards fully committed to achieving compliance. In fact, they like us to be seen as an industry leader which is really one of the the big efforts from, you know, ensuring that we're looking at the PCR program with the way we work as an organization. You know, we've we've mentioned we've got a great big security, drive to maintain compliance in multiple different areas then PCI is certainly one of those and it's it's the brand that we care about as well.
You know, we run a tight ship here as well at BT. We've got a very mature internal assurance program.
You know, we've got a a decent sized team here at BT. So there are ten, eleven of us at the moment both in consultants and first line, second line assurance, members. So we we definitely have a big program.
And I think that that program as well isn't just the bare minimum for PCI. So if you think you talk about SAQA eligibility criteria as well, you know, where we might focus on that area, we do above and beyond what PCR requires.
And that's really helped us with version four as well because there's a number of new requirements which have actually been made simple, with the transition to version four. So for example, authenticated and vulnerability scans. We've been doing that for a number of years now. So I can tick that one off the box quite easily.
And I really think help being a participating organization as well with the PCI councils, being really good for us because we're engaging in the whole RFC process, you know, where we we get to give our opinion on future improvements and comment on existing changes. So having a an early view of the draft versions was really helpful in in order to kinda scope what our challenges might be.
And and I guess the main takeaway for me is as soon as that version four standard was released. Right? So not waiting for the council to deliver the training and interpretation of what we need to do as assessors.
We really started looking into it in-depth with all of the, understanding we have internally and to seek to see what it is in turn that we need to look and maybe prioritize in preparation for, the upcoming changes.
Right. And I think that's just an a great point to begin with. You'd really just have to get into it. You have to jump in. You have to learn and read and and and not be afraid of making this transition. So before we get down deep into some of the technical issues and some of the things that you've worked with, let's talk a little bit about kind of some of these experience. First off, what kind of assessments do you at British Telecom do each year?
We've got quite a few. So, Nang, I'm gonna start off with explaining that as an organization, we're not just one, you know, one large organization. We are multiple large organizations. So we've got multiple customer facing units. So if you imagine we sell to the consumer, we sell them to the business, we look after local government, we're a service provider, we're also a merchant. So we've we've got quite a lot of scope in terms of PCI.
And and I guess the main takeaway from that is all of our assessments we do, we do at level one. So whether it meets the eligibility criteria for a self assessment, we opt to do a QSA validated rock. However, we may choose to then do the eligibility criteria for whatever assessment it is.
Very good. How you you said you had lots of different things about how many assessments are you having to work on each year?
Yeah. So a couple of years well, if you'd asked me this four or five years ago before we did a big PCI program, we had about fifty to sixty, environments that we've managed through using the use of technology to to descope our environment. We've got that down to thirty four, I think it was now at at last count.
And like I said before, there are a mixture of full assessments with the eligibility criteria, for example, our ecommerce estate. So if we think about taking as much of the scope out as possible, then we're talking SAQA eligibility criteria. So some of the, you know, the ratifications within the rock template for doing partial assessments. Now whilst it's not a partial assessment, it is a full assessment, you know, we can get our head around the not applicable and not tested. I think that was quite a bit of a learning point for us. But then we also have retail and we have contact centers, etcetera. So we've we've got a whole variety of assessments, and that's not taking into account our service provider offerings.
Right. So, wow, it's just just me interviewing you almost covers the whole industry of all the different types of assessments. So it's really great to have your perspective.
Yeah. We if you think about it, I think we touch virtually, well, a lot of technologies and a lot of, you know, channels as it was. So it's it's a very interesting job.
Right. So all of our listeners should kind of perk up right now and say, Simon's got the experience that I need somewhere in here. So we appreciate that perspective from you. So as as you started, you mentioned earlier that you said, hey. We as soon as it came out, we started reading. What was kind of some of your first steps? What what did you start, and how did you get going on this effort to transition to four o?
Yeah. So I I guess as as soon as the, the final version was released, the version one dot zero of version four, we did an internal review based on our knowledge and assumptions we've made leading up to that. So that kinda gave us a kind of early doors overview as it was.
And then we reviewed our existing timelines on our three to one assessment. So so we don't just do obviously, we've got thirty four different assessments that are spread throughout the years in order to give our QSA company time to actually fit it all in and also allow us as an an assurance function to, you know, to support the audit. So first thing is what is the existing timeline? And then based on that timeline, which assessment types will be first in there. So, you know, will that be our ecommerce estate? Will it be our retail estate? Or will it be our full assessments that we've we've got to do just to get a scope of how much work and effort's gonna be required?
And like we mentioned, we, you know, we've got some really good QS we've sorry. Some. We've got a really good QSA company that we work with. So it was it was imperative to know what their plan was for the adoption of version four. Because I know not all QSA companies have jumped on to the version four training and done the certification straight away.
So, you know, my priority priority was to make sure they're certified so we can actually start rolling these out.
And then with that, reaching out to our internal compliance specialist within the organization as well.
We've got PCR what we call PCR responsible people who were doing the day to day assurance and then we've got the the the folk that work on, the PCI team who are doing the actual second line assurance. So we had to make sure that the training and awareness was out there.
You can't just roll the new standard out to somebody if they're not sure of what they ask is actually from them. So as part of that in our assurance process, we've got something we call PAT, which is our PCI Assurance, platform.
So we we we looked at bringing that up to version four. And then once we brought up the assurance program to version four, then providing training on how we validate the requirements, and whether we're doing, you know, what are we doing with future data requirements? What are we doing, with with an uplift and where is that uplift required?
So that was one of the key takeaways for me was making sure that people are aware and sure of what they need to do to support the assessment process.
And then I guess just a a final note was the way we architect our assessments is we have a number of shared, assessments. So we act as an internal service provider where they support the internal business, you know, to really uplift those building blocks for BT around policies and processes and and physical securities, etcetera.
Uh-huh. Yeah. That's a lot of effort. It sounds like you've got some great organization and a good team. So with all of that, where are you guys standing right now? About how far have you gotten along in this process?
Well, so far to date, in terms of receiving AOCs from our, external assessors, we've got twelve, PCI assessments at version four, and that's since August. So, again, there's been quite a lot of effort, a combined effort to get to that state.
It's well done.
Yeah. I think you're probably probably somebody in the whole world that's got the most experience getting this done so far.
So, we talked a little bit about, before you guys really wanted to jump on and you really started quickly. What was some of the reasons why you kind of started so soon? Did you, compare to, you know, maybe what like you were saying, a lot of other people are kinda waiting and seeing, and maybe I should wait to to really jump on this and see how other people do. What was your guys' modification or, motivation?
We I we've got two motivations, really. One is protecting the brand and being an industry leader in what we do, and that's one of the BT's focuses no matter what we're doing. You know, we're a carrier network. We sell security services through global whatever that might be. We we like to be seen as industry leaders so of course compliance kind of comes along there.
And the second real reason is because we're such a large organization and I mentioned before with, you know, potentially five different customer facing units, we've got multiple technology units, we've got a lot of big initiatives internally, then it takes time for change, Change doesn't happen overnight.
So, you know, if we need a new bit of tooling or we need to significantly uplift the policy or a process, then I need to work out, you know, who who do I need to talk to? You know, so you talk about your key stakeholders and your engagement within the business, reaching out to the various areas. And if you imagine each business unit has their own structure and you've got to know where to go and who to talk to and get approval and get the basically, get that big oiled machine moving, And it doesn't always move quick. Right?
So you've got to understand how the business operates, know where your pinch points are gonna be, know who your key people are gonna be, and get them all involved and get them on board. And that's one of the main drivers for me really. You know, we think twenty twenty five, March twenty twenty five is a long way away. For me, that that's not really that far away.
So that that's one of the drivers for a business.
And I I think that's a super important perspective to have for anybody who's kinda considering when to make this transition. As we all know in life, pretty much everything we think takes longer than it really does. Every every process, every project that we work on often takes longer. So, this is not gonna be any different than that, and, you know, I think it's been great.
It's it's important that you jump on especially, you know, depending on the size of your organization, that may have something to do with it as well. But even for small people who are small companies and organizations who are, working on on this transition, it's it's gonna take longer, you think, so get started early. So what some what's some what are some strategies strategies? I can't even say that word.
What are some strategies, that have really helped you, along this process?
Yeah. And, I mean, I'm gonna jump ahead before version four. So even in version three, one of our strategies was to remove cardholder data from as many places we can. So, you know, if possible remove it with, you know, stopping people having the ability to see, hear, speak, touch, cardholder data. So we had a PCR program where we reduced scope. So we deployed p two p e, for example, in our retail estate. So we've got six hundred stores, you know, taking payments through through the pads.
We've got contact centers where we've used DTMF masking technologies to remove the data away from our agents. And actually, there's been quite a big improvement in customer handling times and a whole lot of business other speak that's that's occurred. And then in our ecommerce channels, again, really looking to drive down where we're using. So where we might have had, you know, post being used or, other technologies really drive it down to to the minimum.
And then we've also built our own internal service provider offering to try and minimize the scope applicable to internally. So that's been a big help in version four coming out. And then I think the second one being in line with that is our mature assurance program. So, you know, having key stakeholders engaged and accountable, having monthly, calls with our environments to make sure that they're meeting all their obligations for the regular things that happen, you know, and having the training and awareness that that's certainly been a a big help and part of the strategies to drive us to getting compliance.
And then when we come along to version four, obviously, understanding what version four really means to us as an organization, then I think one of the things we've decided to do as well is to look at future dated requirements. You know, what is it that we need to have in place, you know, for our our first assessment schedules? What are the new requirements that come into scope now?
And then once we've understood that, then looking at other new testing requirements such as the targeted risk analysis.
Because when you read the version four, you think, okay. I think it was nine. I'm trying to remember how many nine. I think it was nine or thirteen new targeted risk analysis. Okay. Which ones of those do we really need to do? So the ones that we don't need to do now, let's put them to bed.
And then again, dealing with common services first. So, you know, those building blocks, the single service offerings within BTU, let's get them compliance. We actually had to recertify them. They had not long gone through the certification process, but we thought, right, policies and processes, roles and responsibilities, they're all key, right, to get engagement and understanding and, you know, there's quite a few new requirements of those.
And then a decision we took internally was around the customized approach. So don't use customized approach unless it's by exception. So I'm not saying we can't do it. Right. But in order to keep things in control, you know, they're they're for mature organizations, which we are, but we spent a number of years putting in a a new methodology and a new way of assuring and maintaining compliance.
So there shouldn't be any need for exception. But if there is a new technology or a new way of doing something like moving to cloud, for example, I know that's one that's come up recently, then, you know, we may need to go down the customized approach.
But really, you know, for me, the ability to report with version four correctly on partial assessments, that was quite a big learning for us.
And whilst we were doing that before, I think version four has made it clearer for the assessors and for the the merchants and service providers to be able to articulate exactly what it is we're doing. So where we're doing partial assessments, for example, p two p e, yes, we could do it via a self assessment. You know? Are we a level one?
Are we a level two? Well, let's put that to one side, and let's actually just go the full hog and and we elect ourselves to do a full level one assessment. So being able to mark it as a a partial assessment does really help with the reporting because there's no questions now around whether this is a compliant rock or not because it's not applicable or not tested. The council have really clarified the wording there, which has supported the efforts we've been doing.
Right. And I think those are gonna be some important things that people will all kinda learn about as we move this transition.
So out of the I can't remember. There's, like, fifty some odd new requirements, maybe more. There were there were a number of them, and those were that were future dated and a number of them that were effective just immediately. I think there were thirteen that are effective immediately.
As you were considering you know, it sounds like what you're saying is, hey. We're jumping into four o. We're gonna push off thinking about the, you know, compliance to the future data, but really working on on those things. Start thinking about them, but not worried about complying. What were some of the harder or some of the requirements that come come to mind when you were talking about the ones that are just immediately affected immediately effective?
Yeah. I mean, some of the ones that are immediately affected with the roles and responsibilities, you know, for people acknowledging. If you imagine we're a large organization and very complex and, you know, people are quite, you know, this my my job is this and this is a defined role. We're very siloed in some of the areas where we work then.
That was certainly a challenge. I say it was a challenge. I think, you know, once we got ahead around what that meant and the best way to implement. So understanding how your business operates, I think, is key because you don't want to introduce process just for introducing process sake.
Right? You want it to be part of how the operation of the organization works today. So that's that was a challenge, but actually it wasn't that hard to put in place. And when because of our assurance program, we already had a mechanism for getting people to acknowledge that they're responsible for those particular PCR requirements.
And then by updating the the wider global, governance and assurance policy process documents, we're able to articulate it quite simply. So what turned out to be kind of one of the the big stuffers actually turned out to be quite a I wouldn't say simple. Nothing simple.
But, you know, it was it was one of those that weren't too bad, actually.
Right. And I think companies like yours that have a lot of this infrastructure and and policy and procedure and and and kind of stuff that existed before, I think you were set up pretty well for that. You know, out of you know, it seems like these ten of these thirteen requirements, they throw something at the beginning of each section saying, hey. You've gotta, have this documented.
Who's responsible? Have them take a take that responsibility, in writing. Those things are are you know, any kind of documentation being written by people is just difficult. So it may sound pretty simple, but, you know, that's something you think about and you make sure, hey.
Let let's get this documentation in a row, and let's get somebody working and writing it. It's doable, as you said, but it's something you gotta think about. Now the last three out of that ten, let's quickly go through those. Some of them may or may not apply to you guys.
Twelve three two was one of the was the next one there, requirement twelve three two. It's really about risk assessments for customized approach. You mentioned earlier that may be a thing in the future. It may not be, but, that's really kind of applying there. So it doesn't apply to you guys at this point.
If people are thinking, hey. I really need to do a customized approach, number one, think again. And number two, if you do, then you have to do this extra risk assessment.
Twelve five two is another requirement that added kind of more formal documentation of PCI DSS scope that occur needs to occur annually.
That's looking at flows, systems requirement zero thing that the QSA is like back then.
Right. Right. So that we can talk about that one a little bit. And then, the last one, twelve nine two, it's kinda requiring third party service providers to support their customer's request for information. Number one, about whether they're compliant. Number two, what is your response what is your responsibility? What is my responsibility?
So we're kind of the council added this as something that's a little a little more detail. Again, all of these things were things that probably people, you know, could have been doing before, so it's not like these thirteen new ones are gonna be, you know, super hard to do. You can think of, well, let's move to four o. Even when you move to four o, these thirteen things aren't gonna stop you from really making good progress, the first year if you if you start thinking about the futures, you know, in a minute. But, let's go back to scoping a little bit. You and I had talked earlier about the scoping are really large. You guys have a super large network.
What works for you in scoping, and and how do you document and how do you emphasize that documentation at BT?
I think you you need to really understand and read the wording around twelve dot five dot dot two, you know, around the formal process because it kind of implies that you should be doing data discovery. Okay. So what's data discovery? Is that a tool where you're scanning your network and your infrastructure looking for clear text card holder data? You know, is that, interviewing people within the various departments of the organization, working with the technical team. So I think you've got to really think about that and hopefully working with your QSA understanding your environment, what does it mean to you? I mean, for for us at BT as a large organization, there's no way we could do a data discovery or entire organization.
You know, that that just wouldn't happen and we'd never be able to do it in effective time and I wouldn't even wanna go down that route. I'd probably be laughed out of the room if I suggested that. But, you know, we do have a a good, like I say, mature governance process. We have quarterly steering forums.
We have quarterly governance and assurance programs. So for me, I've broken it down into two pieces really. If you think of the top part of, you know, from an organization level, what is it we do? Well, we we have a a quarter return where each customer facing unit reports to us on the PCR environments and tells us all about it.
Of course, we have our knowledge as well from a second line. So we make sure the two align and we use that.
We have steering forums where we get together and we kind of give updates, etcetera.
And kind of that gives us a very high level view of we've got these thirty four PCI environments. We know exactly what technologies they're using and where.
We've got a track of all the certification dates. We know who the business owners. We're having monthly calls. Hey. You know, has anything changed this month within the retail stores? Have we taken on any new technologies?
Because, you know, you've got supporting services in stores where they've got, you know, people calling customers back, taking payments. COVID had a big impact there and gave us a lot of new capabilities.
Because when you chain when you close a retail store down and you've got staff sat there, it's like, well, how how can we make money? So one of the things they did there was to actually take those agents, give them laptops with the DTMF masking technology and say, hey, instead of inviting the customer back to the retail store, then, you know, why don't you sell it to them over the phone and and we use this great technology. So that's kind of how we manage and how we track what we're doing. And then I think the next level has got to be down at the, you know, the Assurant level.
So when you're talking to your platforms and you're talking to the technical teams and the business owners, you know, has anything changed? What's going on? And then what we've done is we've we've mandated that actually within our assurance program, requirement zero or twelve dot five dot two is very clearly articulated with card data flow diagrams and a bit of an overview, and we can track the technologies. And that's really been the the key way we've addressed that, scoping requirement.
Good deal. Good deal.
So you got the you got the immediately effective ones handled. Let's talk for a minute about your thoughts on the future data requirements, And I think a lot of people can get real stressed about those if you if you kind of bring them all present and say, what do I do? How am I gonna do this? How have you guys kind of addressed that, and and what's your procedures for for moving forward on the state on the future data requirements?
Yeah. And I've got quite a bit of a challenge on the technical team. So like I mentioned before, we're a service provider. So we we offer services out to large and small businesses.
And we had one recently where, if you imagine you've got your CDE and you provide, you know, like a remote access technology and then this customer asks, hey. Hey. You know, I want to be able to copy and paste information in and out of the environment. And you think, oh, I remember reading version four says you can't copy and paste.
So, you know, that's your first review and you think, you know, let's go and look at the detail. If you actually go and read the new requirements three dot four dot two around copy and pasting, you know, what it actually says is, you know, you limit copy and paste to only those that actually need it for business use. Now technically, this particular team I was talking about, they didn't have access to clear text cardholder data, but the environment they were working within supports our card data environment. So we don't wanna expand our scope and bring in introduce any external risk. So it was more of a rearchitecture.
Like, well, actually, what do you need to do? So one of the the key things I want to do is manage devices. Well, you don't need to copy configs in and out of the environment. What you need is the ability to copy things inside the environment and be able to work with them and troubleshoot. So that that was quite, an an easy one. Seemed quite difficult at the beginning, but actually when you read the detail, you know, and you understand the process, it makes a bit of sense.
Right. So that was three four two, if anybody's Yeah. If anybody's if anybody's list or wants to kinda figure that out, but that's three four two.
What about, you you had one in in section four?
Yeah. So four dot two dot one dot one. And I and I will hand up now. I've not memorized all these numbers down.
I have got them written down in front of me, but, you know, the intro inventory of trusted keys. So So you can imagine in a large organization, we're gonna have a significant number of keys. So it's it's really how did the business manage the keys. I don't want to introduce a new process just for PCI.
So just understanding how they how they manage those keys. And and personally, you know, being an assessor, being out there, I could never get my head around why we inventory the keys for storage of car data, but we never then really manage the transmission and kind of all the admin cut keys in your web browsers. So I'm I'm personally really pleased to see that in there. And, you know, I've I've been preaching about it internally for quite a while, and now I've got my PCR requirement.
I can really hang that off.
Good. Now they added fishing as one of the new requirements, that are future dated. What are your thoughts in that area?
Yeah. I mean so we've always done fishing training, and it's it's mandatory as a large organization. You you we're a carrier network, kind of you you can imagine we we would be targets so and I did wonder about this one at the beginning to think how does that impact us because we do fishing. I don't want to expand my scope but actually I think the the the thing to remember about the clarification around fishing is is it's more review of the process of having phishing training and how frequently you do it and that people acknowledge it rather than, you know, QSA's thought is is the technology in scope. So, you know, is my email now in scope, you know, if I'm doing phishing kind of thing. So it's it's just really, you know, check the clarification. Understand that the technology is not expanding the scope, and it's more around the process of what you're delivering to the end person.
Right. And I think, you know, how I read that was it's really just saying, let's be more aware on this. Let's have some process around training. And phishing is always gonna be a problem.
No matter how much training you do, we're just trying to, again, lower the risk, make sure that it's it's more in front of people. I used to work for a large defense contractor in the United States, and every six months, we had to have training to remind us not to talk to spies. Right? And so Yeah.
This is just one of those things. Don't you know, always be aware, and that's why they have these training. So that's in in five four. You had something else?
I I was just gonna say it's interesting how it's not down in requirement twelve, isn't it, really, with all the other training requirements around annual training. They've actually stuck it in requirement five around the whole malicious malware and and misplaces. So, I do wonder sometimes what the thought process was there for bringing the training into the malicious malware and the virus section rather than having it in the training bit.
Yeah. Well, I guess it always results in malware, potentially, so maybe that's why.
Yeah.
So a lot a lot of, people are talking about requirement in six and in eleven on payment page scripting. The scripts that are used there and included on payment pages, doing inventories, scanning those.
What are your thoughts and feelings on kind of that new, requirement?
So my first thought is this was an area I never thought I'd need to look in any depth in. So I I quite wonder from a QSA's perspective if you're gonna now have to assess this. And when you look at the wording in in the in the in the standard, it says, you know, please describe how the entity meets the requirements for these particular requirements. What does it mean to me as a merchant? Well, actually, I guess the question is we talk about CSP and SRI, you know, and other methods to meet the intent of the requirements. And whilst we've put that to one side and said, well, that's a future data thing, we are actually investigating. So I am working with three or four vendors at the moment to have a look at their solutions.
We've got a significant ecommerce estate.
We've got quite a few number of payment pages and, you know, like checkout boxes. So if you look at the difference between the SAQA terminology and the ROK terminology, there's there's kind of slight nuances there. So hopefully the council will clarify those in the end. But ultimately, if you've got to protect the pay from, you know, when you click the checkout button and you wanna know what scripts are being used and what third parties are reaching out to, you know, is there any malicious intent there? And then with requirement eleven more around the file integrity monitoring and checking that your your scripts, etcetera, haven't been modified. I think for me, that's gonna be a a significant uplift.
But in terms of if we need a technology or a tool, actually getting it in place Right.
And it needs to be in place of business as usual. Right? So, you know, we've got a big digital estate. We have a team we call digital who we're looking after all of this and, you know, technology uplifts.
So I am working closely with them to see which tool best fits our wider needs and not just PCI compliance, you know, speaking to the information security teams around GDPR and kind of all other information assurance, you know, we need surely, we need to know about what's in our web pages, not just for PCI, but in best security practice as it was. Right. So that's an interesting one for me, and it's a significant learning curve as well from my point of view. And I'm a technologist.
Right? So I've worked in technology my entire life. So I do wonder the version four is requiring QSAs to be risk experts, technology experts, cloud experts, you know, DevOps experts, etcetera, etcetera. So, I'm quite interested looking forward to working with our QSA and saying to them, okay.
What is it you're expecting from us? Right.
So yeah.
Good question. I think, you know, the point couple points I'd like to make here is when you're preparing for this one, you know, take Simon's point, and that is don't just wait till twenty twenty five to start working on it. This is something you will have to do some research, do some testing, testing, really find out about, you know, what things you're doing. I think it's really easy for development teams to just get everything from any from you know, try to make stuff the easiest to develop, and so you include many other things.
And then marketing wants to add stuff in. Everybody wants to know what's going on and and gathering data. So, I think it's been a long time in coming as far as this this requirement. You know, we we, as a PFI, a forensic investigator, we have noticed these problems coming for the last two years and and how much they're going up.
So we started actually working on tools then and started working on solutions and how we're gonna address it. But, you know, inventory is inventory. You've gotta make sure you know what's gonna be there. You probably will need tools to help you categorize all those scripts.
People are gonna have a hard time using some of the technologies that are mentioned, like you said. And are there other things that can be done there? I think we're gonna learn more over the next year as more companies come out with solutions, as people do a little bit more investigation, as we get more people actually, accessing and testing and using these tools. And I think it's gonna be great for us as QSAs to feedback to the council what this really means.
It's easy sometimes to write a requirement and say, just do this and then actually have to be the QSA and and how what are the best ways to implement it, I think, is something that the or to assess it, the industry is gonna be working on a little bit. So we're all staying tuned.
I think it's good as well that the council are quite, you know, good at responding to, you know, comments from the industry as well, which is is another reason for being part of the PO. I mean, you don't have to be a PO to give feedback, but it it does, you know, support that process. So, you know, I do look forward to see as people start testing it, seeing what the the industry as a whole. And this is where the community meetings are good and the events that we go to as well, you know, to get ex you know, at the people's views.
Right. So one of the other big changes, that we noticed and I've noticed as a QSA is that there's this internal scanning. You it changes to ASV internal scanning as authenticated. You mentioned earlier that you were kind of already doing that, so it's not gonna be such a big deal. It's been around as a technology for a while. What are some of your thoughts there?
Yeah. And and agreed, you know, I didn't really think of it as non authenticated scanning because we've always done authenticated scan. So it has kind of made me think about it, but I'm just pleased that because, you know, listening to others, in in the industry are talking about the work involved to get authenticated scanning, you know. Some people might think it's just as simple as ticking a box in some authentication thing like active directory and saying, right.
Okay. We'd go and do authenticated scans. But one thing I've learned there is if you're not doing authenticator scans, then, again, don't leave that to the last minute because that actually could be quite a bit of effort. So enabling the authenticator scans and then, you know, rolling it out, you know, whether you do a big bang or whether you do bit by bit and then understanding the reports and seeing what vulnerabilities are coming back because there may be some significant vulnerabilities that you weren't being made aware of.
And they're gonna be requiring some uplifts, you know, hopefully within, you know, not running into service life and keeping up to date with patches and things like that. But I guess there's always gonna be the occasion within the business, isn't there, where there's gonna be some exception or a business challenge, and you've got to compensate and control.
So, yeah, my my lessons and what I've read is don't leave it to the last minute.
This is an you know, yet another one of those things where you should start in twenty twenty three, really, working on, getting some experience in that area even though you don't have to comply for maybe another year or so, but start working on it. Now you mentioned earlier you guys did a lot of SAQAs.
And in the SAQA, the council has added ASV scanning requirement. Now how's that gonna affect you guys?
So we've I'd say fortunate for us. You know, when we look at our assurance program, we look at what do we think we should be doing to protect it. Now, obviously, as a QSA myself, then for me, it should have always been there, the same as pen testing. So, you know, we luckily for us, it's not been a significant uplift because all of our SAQA's are already delivering, ASV scans.
I guess the primary concern now is make sure we actually have passing ASV scans and that those passing ASV scans meet the clarity that the council has provided is in every ninety two days, I think was the wording they used. So, you know, before it's been one you know, every quarterly or every three months, and there's always been a bit of ambiguity, when discussing with people. But I think now that they've clarified the wording, then that's my driver to the business is, look, you know, we have to meet this requirement. Therefore, we really should make sure that we're getting these parts and scanned.
So whilst we've been doing them, there's a a lot more focus on it now.
Right. You know? And I think that's an interesting point for really large organizations.
You know? It may not always be reasonable sometimes to say, well, I have to get done. What if you find something and it's in three thousand stores and you've gotta roll something out in a scan?
So I'm I'm hoping to that over time, we work with the council on this ninety two day things. And for the most part, yes, that should be your focus. You should make sure you get that done and and have that as a goal. But what if there's something that's gonna take ninety five days? Right?
Should you then fail your whole anyway, so this is something that that, that I'm As we have those interesting discussions with the QSA with.
Right?
Right. So so those are the things that that still, you know, real world has to come in there. And, you know, I think we'll learn more again as four o keeps going and as we get some more experience with some of these outside cases. I don't believe that these will be an everyday occurrence to stuff like this.
It'll just be something that that happens.
So ASV scanning for SAQA, it's happening, and, I think that starts right away. That's that's an immediate one, the ASV scanning. They added the, script scanning also in SAQA. That's a future dated type of a thing.
So Yeah.
For people who are implementing a scan in SAQA, you're right. It's it's really not that hard to do. It's not that big of a cost to add that in there. But, again, you do have to make sure that they're passing. So Yeah.
So, twelve three three was another one, reviewing Cypher Suites, each year. So and and documented tracking. We mentioned that just a little bit earlier. What are your thoughts in that area?
Well, you've always had to do cipher suite reviews. Right? Because if you didn't have the right cryptographic cipher suites and how do you pass your pen test and your ASV scans, etcetera.
Right.
But but now they've called it out.
I think it's it's it's definitely a good thing.
I know a lot of large organizations will probably have central tooling. I know we have a a central tooling where we can keep track of this. So that might be a challenge. If you're a small organization, you've just got a single ecommerce, then maybe it's just an Excel spreadsheet. But if you're a larger organization with quite a decent sized scope, then you are gonna need to be on top of that. I I mean, just think of this as an operational back to when I used to do my operational function with Citibank, you know, certificates and ciphers. Well, you you had to make sure they were in place, right, and they were, you know, protecting the environment.
And actually quite interesting, I I was doing some reading over a few months ago, and I was reading an article that I shared on LinkedIn about a Deloitte poll that I've done, where they'd said that just over half of the respondents, about fifty percent of them believe that their organizations were at risk of harvest now, decrypt later, cipher cyber attacks. Now I hadn't heard of this technology terminology before, but reading into it, I guess it kinda makes sense. Right?
You know, with quantum cryptography Right.
And there's been a lot more noise and focus. I mean, at the community meeting, we had a talk on quantum cryptography and what that means to the industry, and now we've got misdefining. Was it four new cipher suites that could be, you know, that they protect against contradictory? I can't remember the term they'd use, but, you know, it it does really make you think, you know, if people are compromising your environments and they're taking these encrypted databases, how does that impact you as an organization?
Therefore, if you did have a breach, you'd wanna know straight away, wouldn't you, what cipher suites are you using to protect that so that you can make sure that, you know, how long is, you know, how long is it credit card numbers, I mean, they last three years, but, you know, there's only so many numbers you can use, so they must get replayed at some point. So Right. What does that mean? And I think, again, industry best practice, it's not it's not just PCI.
We we should be, you know, understanding what we got for everything. So I I found that quite interesting, and I think that's another good thing that's come about as well.
Yeah. You know, I think that, you know, we all think, hey. Thirty thousand years is a long time to crack something, and that's what it is now, but we don't know what it will be in three years or four years. So So I think that's important.
Again, long time coming should be have been been done for a long time as well, but to have that formalized, I think, is is just acknowledging as another layer of security that you need to be thinking about. Earlier, we mentioned, the customized approach, and I think a lot of people in the industry, there's a lot of kind of what is this, how is it gonna help me. As a QSA, I think some of our fears are somebody will say, well, I don't wanna meet that requirement. I want you to do a customized approach and so I can don't have to meet it.
And, there may be some, you know, training and and future understanding as people go on and learn about this. That's obviously not the way it's supposed to work.
The customized approach really has a lot to do with the organization, and I think you mentioned you said, wow. This is this is a heavy lift, you know, to do the customized approach. We're not gonna really worry about it at this point. Don't really have to because you don't have any procedures, maybe, or processes that are outside of the the defined approach.
So, you know, as a QSA, we're all wondering too how many people will use the customized approach. It's gonna be hard. It's gonna be difficult. It may be very helpful in in an organization that's mature like yours, to, you know, get something that's really secure and great that isn't quite exactly like the defined approach says and getting that certified and and and agreed upon as a way to meet, the intent of a requirement.
Any other thoughts on the customized approach that you'd like to share with people as you're as you've been thinking about it as a large organization that maybe could?
Yeah. I mean, for me, I think the customized approach is for mature organizations. Right? Because if you think about the process of putting a customized approach together, you know, you you you got to articulate what your risk is.
You've got to understand what the actual intent of the requirement is, and then you've got to document, you know, work with QSA company on on how you're gonna meet the intent of the requirement with whatever technology you're approaching. So my key takeaway is it it's not a compensate control because I remember the council were gonna do away with compensate controls and I think they got industry feedback saying, well, hey, we go down the customized approach. Is that a compensate control? Because I thought it wasn't supposed to be.
So Mhmm. You know, we still got both methods now. So I think the main thing to get away is is it's not a competent control.
And also, if you're doing your assessment and you find you can't meet it some way, you've got to remember that, you know, in order to support and demonstrate effective implementation, it's gotta be in place for a while as well. Right? So Right. I guess, does that mean if you assess someone and and we take passwords, for example, you know, I know that's a very touchy subject with some people depending who the organization is and different views on passwords and passphrases and, you know, all the rest of it. But if if you find that the entity can't meet the requirement, you can't just say, hey, mister QSA, let's work together because it's got to be independent as well, isn't it? You know? So you've got to drag another QSA in to support that, but then potentially you might have to delay your assessment by a number of months because you've got to demonstrate the effectiveness of the control operating.
So I I and I think that's one of my main takeaways is it's not a quick fix. It it is for mature organizations who have got the technologies in place, and it should have been in place and being demonstrated effective operation, you know, way before the assessment timeline.
Right. And just to clarify, let's talk for a second about you mentioned the cut that there is customized approach, and there are still compensating controls. And, again, compensating controls are are to be used, if there is some, some regulation or whatever that that prevents you from doing something, you know, like storing videos in in another country might be a difficult thing for a long period of time, something like that. They're really not meant to, hey. I don't want to do this or I wanna do it a different way. It really is there is some business constraint, some sort of a legal constraint or whatever. That's when you use a compensated controls.
Otherwise, it's the defined approach, but I think still will be the number one, method for validation, the defined approach, and, again, for those very mature organizations that have a risk organization and have the ability to do all this other research and documentation development, we'll work on customized approach. So it will be interesting over the years to see how this is, used and and who's utilizing it and kinda what will what will go forward in the future. But a lot of questions, I think, in the industry around that right now.
Yeah. And, yeah, it'd be interesting to see what the scenarios are where you think you can justify using the customized approach as well. But, again, it's good that the council have recognized the need for it as well. Right? Because, you know, the compensate control is above and not everlasting therefore.
This is where you go down to your customized approach.
Right.
So we've covered lots of things. Any other kind of general advice for those who wanna dip their their toes in the four o pool?
I'm just thinking back to the stuff that we've done, you know, I think I'd recommend that at a minimum, people are doing a gap assessment against the version three assessments as as they're rolling through if, you know, if you think you're not quite ready to tackle it, the the assessors are there anyway. You know, if it's only a couple of more days effort, then I think it's worth getting the assessor who understands your environment at the time of your three two one assessments to do that and provide you with the gap assessment.
I know we did this prior to doing all of our training, within the organization and of the QSA cert, so it it was definitely very useful.
I guess recommendation for me and maybe the path that I'm doing to is look to move to version four, in this cycle. So twenty twenty two, twenty twenty three, and don't consider future data requirements on the first round of assessments. You know? Don't ignore them, but just exclude them and then ask your assessor to give you comment on what that might be. But at the same same time like I am, looking what those future data requirements work may be. So my plan is going for my twenty twenty four, so the subsequent round of assessments. I'll look to integrate as many well, hopefully, all of the requirements and then obviously any failing ones we'll look to remediate.
We've given myself a bit of time ready for the March twenty five deadline.
Hopefully, by the March twenty five deadline and that rotation of assessment starts happening, then I will be fully fledged and maybe one or two trailing. I can think of a couple of environments which were quite large and significant where we might have some challenges, but at least thinking about them now, with an aim to getting them done by that date will be will, you know, be good for us.
Right. And I think that's kind of kind of where we're ending at this point. You know? As far as summing up, just jump in, do a four o gap with your three two one assessment should be a consideration. I I'm guessing that many QSAs will have that ability to do and put have that ready to go. We do as a QSA as well.
I think some of the other things are that you're, as we've mentioned during the the webinar here, don't just ignore the future data ones. Start thinking about the ones that are gonna have an impact on you the most. Start understanding the script scanning stuff. Start understanding the ASV authenticated scan or the internal scans.
Make sure you're working on your SAQA kind of, scanning solution if you're not gonna move to four o right away. Start doing those scans on your SAQAs anyway so that you can make sure that you understand how to keep those clean, and move into four o in twenty twenty three. I I think that's probably would be a great goal, if your organization can can get your head around that. When you think about it, when you take out the future dated stuff and you carefully go through the thirteen immediately effective ones, it's not that much different than three two one.
Yeah, there are some changes, and there's some documentation things and some you know, it feels like you're making a big change, but, you gotta start sometime. So Definitely. Alright. Well, thanks a lot.
We're gonna we have a few minutes here at the end. We'd like to take a few questions. I think there were a couple. So let's, go ahead and do that and see if we can answer them on the fly.
How will transitioning to PCI four dot o impact my business, such as how much will it cost, how much time will it take? Okay.
So, yeah, people people do wonder how much, you know, do I need to plan for, four o as far as, financial or time. What are some of your thoughts on that, Simon?
Yeah. So we were looking at this when we were planning for the future budgets as we do every year, and we've we've got a significant number of, assessments to go forward. So we've definitely presumed it's gonna take maybe a couple of extra days per platform, which obviously equates to a couple of more days consultancy through our QSA company. So I I certainly think you need to include additional budget and funding, you know, because I think maybe for the first year assessment, it might be a bit of deliberation between you and the QSA as to whether what you've put in place meets the intent or whether an existing control meets the intent again. So I I well, I personally we budgeted for for more effort and cost with our assessors.
Right. And I think along with that goes, you know, it's gonna take more time on your team's part, but perhaps there are some tools that you need to start testing, you know, like the scanning things, like spending a little bit more for an ASV scan on a on a SAQA.
So you can you know, based on your environments, I think you can kinda say, we may need some tooling.
So let's include a little bit of that budget as well, and and it's gonna take some research time and some testing time.
So, I don't think it needs to be double or anything like that, but you're gonna be needing One one of the things I've thought about as well through our program is, you know, if we if we are implementing new technologies and new ways of doing things, then putting some extra time in with the QSA to come in separately outside of the assessment process, but just validate the control before the assessment.
Or if you're planning to do a large deployment of a piece of technology, which is gonna cost, you know, a significant amount of money, then it's always worth getting the assessors in to come and do a gap assessment and validate that the way forward is the right way to go before you then spend the money and go and deploy that.
How well do the changes to PCI version four dot o track with other compliance mandates such as GDPR?
Yeah. And that's not a bad question. I think as as we think about so many frameworks and standards throughout the world that are kind of dealing with security, and privacy, etcetera, how are some of the changes in four o matching up with things, you know, different frameworks? You know, I guess, in in Europe, there might be GDPR or other things. Have have you guys, what what do what do you think about that?
Yeah.
Well, I guess it's it's one of those things that standards evolve. You know, PCI is a bare minimum best practice. Right. I know internally we've got a whole program ahead working to look at all the difference. So we're looking at CIS, you know, we're looking at GDPR, we're looking at cyber essentials we have here in the UK.
So we're we're definitely aligning all of our policies and processes and building that into the organizational structure so that, it's not just a a PCI relevant tick box as it was. So, I'm not GDPR expert. We're a bit siloed in our organization.
But, yeah, I I I think that will be kind of where I'd go.
Yeah. Definitely, you know, it would be great, wouldn't it, if there was one standard to rule them all, kinda like the one ring? Yeah. But there isn't, and there's always gonna be different ones, because industries different emphasis. But as a security analyst and as as a, you know, a company, you're gonna notice that there are some commonalities between them. And and over time, you'll notice that somebody increases in this one area.
PCI is increasing in password, things as, you know, here in the US, there's a the NIST has increased password standards, changed those. They're always evolving. So they should relate a little bit, but there will be some really industry specific things in each of these standards. It would be great if there was just one to do.
But I'm gonna say, you know, I know things like GDP, for example, say you should protect the data with appropriate, you know, way methods, etcetera.
But the PCI standard is a lot bit more script prescriptive sometimes. It's not always, you know, like with version three, you know, we had vulnerabilities around TLS and SSH so they would come out and say this this should be used whereas CIS and NIST will kind of imply that you should use these relevant technology. So I I do think that PCI is a little bit more prescriptive than some of the other kind of regulatory things because we remember. Right? You know, GDPR is a regulatory thing whereas PCI is more contractual. So there's slight nuances but they definitely have a lot of overlap because it's all based on interest best practice and how we should be protecting the data.
Right.
Well, very good. That's all the time we've got today. We appreciate, your time, Simon, and appreciate, all of our listeners' time today. So, good luck with four o.
Thank you very much, and I'll talk to you soon.
Bye bye.
.svg)
