The PCI-DSS Game Changer: Q&A with a Security Professional

Over the past couple months we’ve seen a major shift in the way assessors are dealing with PCI-DSS and security. In speaking with some retail customers, one of the overarching themes I’ve heard is to make sure you use an assessor who understands the importance of first having a solid security program before worrying about compliance. In my conversations I’ve been told that QSA’s, and assessors in general, have started to shift their approach in how they review PCI-DSS since many QSA’s now have more skin in the game. Below are excerpts from a Q&A I did with a security engineer at an AlgoSec customer in the retail space:

Q: What’s changed from a PCI assessment standpoint?

A: With all of the high profile breaches as of late, we’ve noticed audits to be much more intense than in the past. Assessors now look at everything and will continue to probe until they feel comfortable. If they’re not 110% comfortable with an answer, you should be prepared for intense follow-up and scope increase. The QSA’s are putting their names on the ROC, which is essentially putting their reputation on the line each time they allow a company to pass an assessment. Now if every assessor was doing their job properly in the past this wouldn’t be an issue, but for the assessors trying to stay par with the course now, we can expect a much more in-depth look into your systems.

Q: How are compensating controls being reviewed?

A: Compensating controls are being scrutinized under a microscope and are not handed out as easily as they once were – which is a good thing. There are times when you need to make a business justification for having a compensating control for a particular requirement, but if there’s a reasonable fix for the issues, then you should have the fix/fixes in place. If you can’t, it may still be allowed, but you should prepare for the request to be thoroughly dissected.

Q: Has there been a change in how forward-looking statements are viewed?

A: While this may have been accepted in the past, forward-looking statements are no longer valid and will be squashed, so don’t even try it. Gone are the days were you can write a business justification about something that’s going in place shortly to remediate a particular issue. If the issue isn’t fixed, you’re not getting your ROC plain and simple.

Q: What about the impact in terms of dealing with banks?

A: Don’t expect the banks to take it easy on you. Even though many companies are dealing with years of sins in a short period of time, the banks just don’t care. Every time there is a major breach, it’s the banks which must pay out fraud reimbursements, card replacements, etc. and they don’t want to see this happen again. With as much as they have to lose, they will be knocking at your door sooner than they did the year before.

In my conversation with the security engineer, he noted that this will be a real eye opener for those that were rubber-stamping their compliance. Most importantly though, he thought that all of the hoopla around the recent breaches is actually good for security in that it forces organizations into a more secure mindset and that it will bring long term security to card holders.