Making PCI Stand For Coordination & Impact

June 29, 2009 by ADMIN

Share |

Daniel Wallace, Information Security Consultant

Taking the sting out of MasterCard’s new on-site assessment requirement

MasterCard’s Global Security Bulletin distributed to the card brand’s acquirers and processors on June 15^th of this year spelled out a new requirement for all Level 2 merchants.

Level 2 merchants must hire a PCI-approved auditor to complete an annual onsite data security assessment by Dec. 31, 2010. Previously retailers that fell into this category were only required to submit annual self-assessments.

Level 2 merchants process between one million and six million transactions annually. Such retailers will typically have between 50 to 250 locations and some household brand name companies fall into this category.

It will be no small task in terms of cost and effort for many of the impacted companies to make the transition from self-assessment to onsite 3^rd party assessment. However, there are ways to lessen the burden and actually drive business-value from the engagement.

Make Certain that You Have to Comply

Onsite PCI assessments are not cheap. First make certain that you have to comply with the onsite assessment requirement.

Although all of the major card brands are partners in PCI-DSS the number of transactions are counted by individual card brand.

For example, a merchant that processes 2 million credit card transactions will not necessarily be a Level 2 retailer. What matters for purposes of this requirement is the number of MasterCard transactions. You may have 800,000 MasterCard transactions, 600,000 Visa transactions, and 600,000 transactions with American Express.

If this is the case, you’re a Level 3 retailer because you process less than one million MasterCard transactions and thus are not required to have an on-site data security assessment. You are safe for now.

Plan Ahead

An enterprise with the footprint to drive over one million transactions with a single card brand will likely require a sizable and fairly complex assessment engagement.

Depending on the organization the project cycle from vendor selection through actual fieldwork to final report acceptance can easily run six to twelve months.

Only allowing your organization the minimum timeframe to complete this work will most certainly increase cost and create undue pressure for everyone involved. Performing initial project planning and engagement definition work ahead of time can result in better cost and time estimates from your vendors, ensure availability of the resources necessary to make the project a success and make the actual fieldwork go much smoother.

The assessment should be approached with the same rigor as any business project. Consider assigning an internal project manager to handle planning, estimation and coordination.

Hiring a Qualified Security Assessor

A Qualified Security Assessor (QSA) with the ability to signoff on a Report on Compliance or RoC always works for a QSA company.

The RoC is the final deliverable document in this type of assessment. While you can hire a freelance consultant with a QSA credential to perform remediation work or internal project planning they will not be able to help satisfy the onsite assessment requirement.

The PCI Security Standards Council (PCI SSC) requires that every QSA work for an authorized QSA company and they provide a list on their website of every registered QSA Company as well as authorized individuals employed by the QSA Company.

Once you review the online QSA list you may notice that some companies are listed as “in Remediation”.

This status indicates a determination by the PCI SSC, after Quality Assurance review, that a QSA organization has violated one or more applicable QSA Validation Requirements. You may consider verifying that that the QSA Company has satisfied the quality assurance requirements before hiring them to perform your assessment.

It is not yet known what impact the MasterCard requirement will have on assessment fees.

As with any professional services investment resist the temptation to simply hire the company with the lowest estimated bid price. Most level 2 merchants will require a fairly sizable QSA company to effectively perform the engagement.

A smaller QSA company might be more inclined to price aggressively but may not have the sophistication to accurately estimate the time necessary to complete a large assessment or the resources to complete the work within the required time frame.

A QSA with a higher estimated bid might actually end up saving you money over the long run. It also pays to research the QSA Company thoroughly so bake into your plan time for research and reference checks.

Gather Documentation Ahead of Time

Your QSA will want to review all of your security policies and procedures.

You do have written security policies, right? In addition they will want to see network diagrams, flowcharts of the card transaction cycle, results of security scans, pen tests and possibly other security assessment work.

Waiting until the assessment team arrives onsite to begin gathering this information or having the QSA gather it themselves will result in unnecessary cost.

Remember that most PCI assessment work is performed on a time and materials basis.

Providing the required documentation to the QSA ahead of time can save money, time and the additional familiarity that the QSA will have with your organization’s control environment on day one will likely result in a higher quality report with better business insight.

Make Key Individuals Available to Your Assessors

While reviewing documentation is an important part of the PCI assessment the QSA has to validate the controls in place that support PCI-DSS requirements.

Often the QSA will conduct interviews with key managers as part of this validation process.

The assessment work can be significantly slowed down by meeting rescheduling or a key manager who is not available. This is where planning and coordination can pay off.

Before the QSA arrives on-site, work with them to develop an initial interview list and schedule appointments for the QSA. Planning the interview itinerary in advance will keep the engagement moving and lower cost over the course of the assessment.

While many retailers are not happy with MasterCard’s change, approaching the assessment as a business project can ensure a smoother transition to the new requirement.

Daniel Wallace is a Detroit, MI based information security consultant who has been assisting executives and advising organizations on compliance issues for over 15 years. He can be reached at dwallace@growforwardllc.com

Linkedin - http://www.linkedin.com/in/wallacedan

Twitter – http://twitter.com/dpwallace

* * *

Stay Informed With ISR News Feeds and Email Alerts Here:

The Publisher gives permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author and to Information-Security-Resources.com

These icons link to social bookmarking sites where readers can share and discover new web pages.