unix and linux operating commands

  1 Step Forward, 1 Step Sideways & 2 Steps Back

With the recent changes by MasterCard (again) I wanted to discuss a couple of my concerns and/ or questions. In large part I have only seen one other fellow PCI blogger mention. Let's start with;

One step forward; The extension to give Merchant level 2's more time to comply with the new rule changes from Decembers 2010 to June 2011 (not a deadline smack dab at end of year and holidays) was a good thing.

One step sideways; The change to allow (starting in June 2011) a Merchant level 2 the flexibility to decide whether to complete a SAQ or a ROC. I like this change as requiring a small level 2 merchant to have an onsite assessment performed by an external QSA was in my opinion not realistic and way too burdensome for small merchant 2's, not just fiscally but also in resources. Allowing the smaller ones to perform a SAQ and the larger ones to pursue a full onsite assessment and ROC submission was I think a good move. Of course ultimately it will come down to what that merchants acquiring bank requests and I hope most request the large merchant 2's to have a onsite assessment performed by an external QSA and authored ROC.

2 steps back; The change that will allow merchants to have their own internal audit staff perform their own onsite assessment and authored ROC. My first problem with this is I feel you almost always get a more objective audit/assessment from an outside party.

Second most merchant 2's do not have a dedicated audit department and/ or staff, the ones that do are in most cases focused on financials and have very little concept of PCI, or how to conduct an assessment (not an audit) let alone a good understanding of information technology of which PCI is very entrenched.

Third what will end up happening at most merchants is that the I.T. department will be tasked with performing the assessment, which in my opinion also poses significant issues as well, one of them being objectivity and the other lack of audit/assessment experience. I think the lack of understanding of how to properly apply PCI during an assessment, for example knowing how to get to the core intent of a requirement will significantly limit a merchant's ability to file an accurate SAQ or ROC and/ or affectively protecting their customer's card holder data.

This in essence leaves them really un-compliant and more specifically unknowingly making false claims. Other than not adequately protecting card holder data if a data breach occurs that's a mess they are going to wish they hadn't gotten into.

Another concern I have and that I have seen no one else speak to is the pressure the I.T. department and company as a whole is going to put on the lucky I.T. staff member (many times this responsibility will fall on the I.T. security administrator, trust me I speak from experience) to allow allot of things to slide, or if you want to call it push back you can use that term also.

A huge advantage that current external QSA's have that an internal I.T. staff member performing this assessment will not have is at the end of the day the QSA can say sorry, this deliverable or current control does meet the PCI requirement and require you to fix it or develop a compensating control, no if ands or buts'. Do you honestly think the internal assessor regardless of whom he or she is, is going to have equal authority, I THINK NOT!

To move on to my second high level concern/question is neither VISA or MasterCard have explained how this process is really going to work and what governance is going to be applied. We know that an internal merchant staff member will need to go through pretty much the same training/certification process. But are internal audit staff/QSA's also going to have to go through the same QA process and be held to the same standards that external QSA's and firms are? Hmmmmmm. Are internal QSA's (for a lack of a better term) going to have to submit they work to also be reviewed, will they also be put in remediation when their work does not meet the PCI-SSC standards.

To sum things up it just seems to me the card brands started back in 2008 trying to flush out the rubber stamper QSA's by raising the standards and enacting a stringent QA process. This was in attempt to flush out the ones that really didn't know what they were doing and/ or didn't care, they would just come in and do a half ass'ed assessment and file your complaint ROC for you. Although there are allot of guilty merchants as well that knowingly pursued these type of QSA's.  

So in essence by now allowing staff that may not always be the most objective and/ or qualified and not having defined a strict governance of how they conduct the assessment, to me is 2 steps backwards.




More...