Watch to learn about the top security and PCI compliance audit myths.
Having issues accessing the video above? Watch the video here.
“The biggest challenge in establishing your data security policies and practices is knowing what you need to learn more about,” explains Lee Pierce. A good PCI compliance partner will take the time to show you what you may be completely missing because not knowing what you need to know is far worse than not having an answer. And, if you’ve done your own PCI compliance for years, you may be even more likely to not know what you’re missing.
At SecurityMetrics, Lee and his team work to provide you valuable pre-assessment consulting to make sure you have the depth and direction you need to prepare for an assessment and become compliant. Lee explained this and listed out the top 10 misconceptions they run into while working with businesses. With years of experience and hundreds of customers helped, Lee gives generous tips and recounted real-life stories so attendees can understand what they likely don’t understand.
This webinar was hosted on September 24th, 2020, as part of SecurityMetrics Summit 2020.
Hello. My name is Lee Pierce. I work here at SecurityMetrics as the director of sales operations.
I've been with the company for about fifteen years, and, the focus of my work here has been on the sales side with enterprise customers such as audit, penetration tests, forensics, larger vulnerability scanning customers, and just basic troubleshooting to help banks help their merchants.
Today, I'm gonna be talking to you a little bit about, Mythbusters, ten misconceptions about security audits.
So the focus here will be your data security and the compliance technology involved with the with the end result. The end goal being that you avoid data breaches, you avoid costly fines, you avoid slowdowns and hindrances to your business being able to do your job.
And that way you can help your business grow and stop worrying about so many factors that are looming out there all the time.
So let's move on to the agenda for the presentation regarding PCI DSS. I'm going to talk a little bit about the challenge that seems to influence everything that we do in trying to be compliant with security standards, the misconceptions that I mentioned before, and then some steps to keep in mind as you go forward.
So common misconceptions.
But first, let's talk about the challenge.
The biggest challenge in establishing your data security policies and practices is working to learn about those things that you know you need to know more about.
I'll say that again. Things you know you need to know more about.
And if you choose a good compliance partner, they can help you determine the questions you should be asking both yourself and your team in order to achieve a greater awareness of the questions you need to learn how to ask.
These are some of the keys.
So when you don't know what you don't know, you have no awareness of the problem.
Not having an answer for a question is far better than that. And that's what we wanna talk about today is identifying the questions you need to ask as you deal with these misconceptions.
So misconception one.
So people think that since they have been doing a full PCI self assessment for years maybe, they're ready for a QSA assessment. And, this can be kind of confusing because some of the requirements can be found in your self assessment questionnaire if you've been completing a questionnaire other than self assessment questionnaire version d.
You might miss some requirements entirely because they're not packaged in your form of the questionnaire.
Additionally, if you've addressed specific requirements and think that you've covered it, you may be lacking some experience or depth of understanding.
And therefore, you may not be satisfying a requirement that you thought you were satisfying.
That's another one to keep in mind. You may not have the depth necessary to, check that box on compliance on a particular requirement.
Here at SecurityMetrics, we're dedicated to provide you pre assessment help through consultation and gap analysis and back and forth as you work to better understand your situation.
Also, another problem that may exist is you may have multiple channels of card acceptance.
And if most of your work involves, an outsourced website making you eligible for SAQA, you may find out later that you're actually storing card data somewhere else or have another channel for acceptance.
Those things will come into focus as you start, attacking the the requirements and and doing your internal investigations to prepare for an assessment.
Another misconception is that, people that enroll for quarterly scanning and say the self assessment questionnaire, they're done. They they don't really see requirement eleven point three looming in in the background. But eleven point three is all about penetration testing.
And penetration testing is not at all vulnerability assessment scanning.
This is an often confused, comparison there. People need to realize that vulnerability scanning, requires that you use an approved scanning vendor and that you achieve passing scans every ninety days.
Whereas with the penetration test, which is a much more involved manual, handcrafted, and therefore more expensive, service, you can actually perform that internally if you have completely independent staff from what is being tested. And you can go in and look at more standards and guidance from PCI about penetration testing if that is your case, or you can hire an outside vendor with a good reputation background in penetration testing.
But that requirement is required once a year or whenever, significant changes happen to your environment.
So with pen testing, a vulnerability can be discovered just like with vulnerability assessment scanning, but then the manual testing begins, which is their attempts to exploit the possible vulnerabilities.
A totally different animal. It requires communication back and forth between you and the tester.
It requires a lot more involvement on your part.
Misconception number three. All aspects of credit card handling have been outsourced in my organization.
Therefore, PCI compliance validation does not apply to me.
We do have customers that will say, I really don't need to be complying with this standard because the people that handle things for me are complying with the standard. However, if you are a merchant and you are accepting cards in the sense that cards, deposits are actually coming to your merchant account by way of a service provider, you are obligated to declare your compliance with PCI DSS.
And much of requirement twelve is not able to be outsourced where you must, go in and answer questions regarding your information security policies, and you must have an incident response plan in place.
A good QSA will help you identify those things that are still on your table that you need to address versus placed in the realm of your service provider or whoever's outsourced for you.
Misconception four, people say that, completing the self assessment questionnaire is all that is needed. They don't realize that completing versus passing are two different things. So when I sign up for ASV scanning and a self assessment questionnaire, I am compliant.
Unfortunately, that's not true.
You you have to sign up for scanning for anything that's applicable and in scope, and you must have the passing scan results.
But, then there's all the questions if you're self assessing that you have to verify that that you are compliant with them. And it can take a lot of work.
And sometimes you may need even need to talk to your bank about an extension regarding deadlines they've given you as you work through the things you're discovering.
If you're doing a self assessment and you're finding it to be difficult to get all the answers and get everything completed, it might be a good idea to hire a QSA to consult with and just ask for help in better interpreting the questions even though you're allowed to self assess.
So I would say keep that in the back of your mind as a possibility as you play with, how to achieve compliance with these standards.
Misconception number five. If I don't run Wi Fi in my environment, I do not need to test for rogue wireless.
So requirement eleven point one talks about that, that you need to have an accounting of all the wireless access points in your environment.
But what sometimes gets overlooked is that you also need to account for unauthorized Wi Fi that you discover and make sure you track it down and eliminate it or learn why that Wi Fi is that access point is there and figure out what should be going on with that. Who should have access to it or should it be turned off?
Bad players, historically have actually even sneaked into secure areas in a store and set up a Wi Fi, access point that customers unwittingly use thinking that they're using your Wi Fi and they're capturing traffic and a lot of other uses as well. So you must scan for rogue wireless even if you have no wireless access points going on in your location.
Requirement or misconception number six. I outsource critical handling of sensitive data to a service provider. Therefore, I'm covered. And this can really frustrate people as they're working on their compliance because, they're paying pretty good money for somebody to handle that.
But you need to learn what particularly that outsourcer is handling for you. And in the latest version of PCI DSS that has come out, requirement twelve point eight requires that you list and verify the service providers that you maintain as, people that you've engaged to help you with with the processes that you have.
And you need to include a description of the services that they provide.
This includes the requirement to observe written agreements with them and confirm that they, that they include all of the requirements that they are touching upon and taking care of. A good service provider will actually provide you a list of the very requirements they're handling that you do not need to worry about.
Requirement twelve point nine is where the service provider has to comply and state in their own service provider assessment that they are doing all of these things. So don't be shy when you're working with your service providers, those that are outsourcing critical functions for you. It is your right and your responsibility to have that information from your service provider and to even create a responsibility matrix that shows that this requirement is mine.
The other requirement belongs to my outsourcer, and they've acknowledged it in writing that that requirement is one that they own and are responsible for.
Misconception number seven.
I don't need to worry or excuse me. I do not need to know what my penetration testing scope should be. The QSA will figure that out for me. Now while it is true that your QSA can help you in determining the scope of the assessment, he or she is definitely reliant upon the information you provide, such as detailed network diagrams, process flows, firewall rule sets, etcetera.
If you do not have a firm understanding of these elements, the QSA will really not know how to advise you.
Therefore, as you establish a clear diagramed outline of your environment, the scope of the testing will become clearer to you, hopefully, aided by guidance, of course, from your QSA.
So the bottom line is the entity being assessed is responsible for the pen testing methodology that that is accurately being established.
And in developing that methodology, you need to go back to that first slide where I talked about it's dangerous when you don't know what you don't know.
Therefore, when it comes to penetration testing methodology and scope, don't be shy in talking to the people in your entity, about their various responsibilities and the functions going on there. Because as you discuss this and share information, as you work on diagrams together, you will notice, that you're learning things you did not have an awareness of before, which will greatly help you in crafting your diagrams and your process flows, and it will help you discover things you wanna change.
I remember a particular customer that we had assessed for many years, and different staff members come and go as is typical with a company.
But one year, we were preparing for the audit, and, as we were going through our questions and looking at the updated diagrams, our QSA noticed a little reference to a service that they we didn't recall in past assessments.
And with a few questions asked, it was discovered that there was a data center out there we had no awareness of previously that actually was in was in functioning process for, a few years. And so, as a result, there was a server that was very critical in handling cardholder data and flow. We didn't even know about it. And the customer apparently didn't know about it till we started asking questions that all cropped up simply because of the slight change to the diagram that someone had added to the diagram.
So, again, that example is to help you understand that you must have good dialogue going on with the people in your organization, particularly those that get added to your organization or when new services come on board.
Another element is when a company buys another entity and and goes to bolt on that information or that that process and function into their environment.
You need to not just go through it once. You need to go through it multiple times, over time to know how the processes are being implemented and, brought into your environment and what changes might be occurring as you're doing that.
Very crucially, you understand that. And therefore, your chances of reducing surprises will go down as well.
Misconception number eight, and this is for service providers. Once I have a validated report on compliance from my QSA, I'll automatically be listed with Visa or Mastercard and their service provider listings.
It's very important that you understand that the service provider is required to establish a relationship with a sponsoring bank.
This is something that we cannot do for you.
Visa and Mastercard consider an entity a level one service provider when they exceed three hundred thousand transactions annually of any one card brand.
And when you are a level one service provider, you're required to have a PCI assessment performed by a QSA.
And when you have a level one service provider assessment performed by a QSA and you have assigned report on compliance and validation of compliance, then or report on compliance, then you do have the opportunity, if you're willing to pay the fees to Visa and Mastercard, to be listed as a level one service provider on their websites.
Now the service provider has to typically pay around two thousand dollars a year for that privilege.
They have to have, an established sponsorship going with a sponsoring bank, which is not just a merchant bank.
And this this sponsoring bank has a direct relationship with the card brands, which allows them to sponsor you as a service provider handling those channels of card acceptance.
Your QSA, when you request it, is happy to submit your ROC, your report on compliance to the card brands that you designate.
But establishing the listing is something you need to do. So advice on this is that as you are contemplating becoming listed as a service provider with Visa or Mastercard, and before you do your assessment with a QSA, you should start working on that sponsoring bank as soon as possible to establish that relationship because sometimes it can take time to get that done. That's something you cannot, put off or everything will be on hold until you get that sponsorship established.
Now a levels level two service provider that normally self assesses cannot be listed with Visa or Mastercard, but they can choose to undergo a level one service provider assessment by QSA if they wish to be listed. So that in function, they're a level two service provider, But by the way they were assessed, they are a level one service provider. And then they can too, jump on board with the service provider assessment listings.
Misconception number nine. People think that since they've completed, SOC compliance successfully, they don't really need to worry about their PCI compliance or vice versa.
So both SOC one and SOC two audits must be conducted by a CPA firm, while a PCI audit must be conducted by a QSA.
And the PCI DSS consists of nearly four hundred individual controls, some of which could apply to a SOC assessment, but there are far more differences than similarities.
Many elements of a PCI lend themselves to the SOC compliance work and vice versa, but full validation of either is definitely independent from the other and must be treated as a separate assessment.
While some evidence can be used for either assessment, the majority of the work involved for PCI compliance validation will be outside the scope of what SOC audits require.
And each assessor signs on the line for personally confirming the validated elements of the SOC and of the PCI assessment.
Now the variability involved with SOC assessments needs to be considered here because a SOC assessment is tailored to the particular, objectives and controls defined by the entity being assessed.
Whereas, PCI is more rigid and deals with cardholder data flows. However, and whenever the cardholder data is stored or processed or transmitted. Therefore, some entities may have a lot of overlap between SOC audits and PCI, while others may have very little.
Misconception number ten. It's my QSA's job to get me compliant. Now that's kind of a a trite statement and and one that isn't really worded that way by our customers. But there is kind of a a times, kind of a a flavor of that going on in their minds. And and it needs to be clear that the QSAs are assessors.
They review information and evidence that you provide, and the QSA definitely provides consultation on that evidence and on the efforts you are putting forth to get compliant. But they they're really not your boots on the ground. They're not an IT team that steps into place and hands on makes changes to your firewalls, your hardware, your software, your programming. Those things need to be considered a separate service or something that you may well do internally or something that you may have to hire someone to do.
That is something you need to keep in mind as you're preparing for an assessment.
Can we have the right resources inside our company to take care of these things, or do we need to look to getting, an outside firm that specializes in that? And there definitely are firms that specialize in being kind of IT in a box that come on board. They learn what you need, and they help you implement to help you achieve your goals.
That's the hands on work needed to bring your environment up to standard.
And and something to keep in mind, if if you have hired someone in the past who built something for you, but they no longer work there, That tribal knowledge needs to be passed on and documented, or you could be in serious trouble. If some changes are required, you'll have to track down that person who built it for you in the first place.
Very important to keep in mind.
So those are ten misconceptions. There's others, I'm sure. And, let's talk about the takeaways here.
There's a lot to think about here, but these are four pieces of advice I would give you.
First of all, feel comfortable enough to ask informed questions. You need to build a culture inside of your your business that encourages informed questions, sharing of information, clarity of who is assigned to tackle what jobs.
Sometimes with larger organizations, we find that the fingers kinda point. You know? They're like, well, John has that. No.
No. No. Sam has that. And then it's a moment of revelation to them that they didn't really have a clearly designed lay of the land as far as who was responsible for what inside the company.
So the more in preparation for these assessments, the more you're you're comfortable to ask each other questions and the more you, shed the fear of the unknown and and and instead be afraid of what you don't know that you don't know, then you'll start being able to form questions that are very, very applicable.
That way, you'll have the right questions to ask your QSA for help as you're working on these things.
Next one, number two, is tackle your challenges with a team effort.
Hopefully, all of these duties of becoming compliant and gathering evidence and such do not fall upon one person in the organization. But sadly, we see that.
You'd be wise to create a matrix of responsibility inside your company, who is in charge of what, and keep logs on what they're doing to change things. So people that are doing software updates, make sure you're following PCI DSS on tracking those changes. And then you're having good dialogue about who owns that and how it's changing and how that affects the big picture in your company.
And as part of that, number three, document everything and organize it for updating and future use. This is part of the requirement as you're trying to complete your PCI DSS assessment that you have everything documented and that you have a means in place to update that documentation so that it never becomes stale and and out of date and and incorrect.
Number four, although PCI is a point in time assessment, you need to look at your PCI compliance efforts as ongoing throughout the year, because your company doesn't just sit statically.
There are changes that occur. You need to be aware of the changes as they go, and you need to make sure that that you're tackling them as they hit you. For example, penetration testing is a once a year requirement. But if you have a significant change to your environment, you need to test again. And your your your QSA can help you in determining how significant those changes need to be in order for that to trip. But, definitely use your partnered, assessor to help you understand that.
So if you if you've discovered that you need to make some adjustments in order to close the gaps in your data security or your compliance plans, then don't delay your response to this. You should get right on top of it. And, you can you can avoid data breaches this way. You can sleep better at night.
You can help people feel a sense of ownership with what they're doing.
And lastly, I would say make sure you engaged someone early enough.
Maybe just going on a ad hoc needed basis for consulting as you're getting ready to approach more of an active assessment phase.
But time, once it gets out ahead of you, you know, you've got a problem if if you've got deadlines coming up. So you can't be too early thinking about this or formulating plans or creating partnerships or determining who you're gonna work with as your assessor.
I would say go after it. Be confident that you can ask questions, and, feel that you can trust, you know, a well vetted assessor to help you with all that.
So if you have any questions at all, feel free to email me. You can also contact our sales team here at this number.
And, I wish you the best, especially during this crazy, crazy time we live in. We're here to help you. If you have any questions, then you don't have to feel like you're on the clock with us to just ask questions and get some assistance in your considerations of things.
And that's all I have to say. Thank you very much.
.svg)
