unix and linux commands - unix shell scripting

    Part Four - Authoring your PCI on-site assessment RFP

This is the fourth chapter in a series about preparing for and going through a PCI assessment;...

1.      Part One - Intro to a PCI on-site assessment & the QSA selection process
2.      Part Two - Preparation for an on-site assessment and what to do first!
3.      Part Three - Defining your scope so you know what you're assessing
4.      Part Four - Authoring a PCI On-site Assessment RFP
5.      Part Five - Selecting a QSA to conduct an on-site PCI assessment
6.      Part Six - Preparing your Company and I.T. department for the assessment
7.      Part Seven - Important documents to have to manage your assessment

Your RFP;  There are many critical elements to your PCI on-site assessment RFP, here are four of them;
1.    Scope,
2.    Resources,
3.    Deliverables,
4.    Schedule,
5.    Costs.

For a template to get started, See “PCI v1.2 RFP PCI Onsite Assessment (V2.0)” in the docs section of my site.

Keep in mind it is perfectly okay during the first half of the QSA selection process to update your RFP as you are learning additional relevant information, either by discovery or through interviews with the QSA firms. You should hold on to your RFP while you are researching and questioning the initial round of 5-9 QSA firms you are considering. Once you are down to 3-4 QSA's and you feel your RFP is as good as it's going to get, submit your RFP to the final 3-4. After which point it will get modified to accommodate questions, legal matters etc. as you move along and finally get to your final signed RFP/SOW.

Also remember the QSA SOW which will be based upon your final RFP is a legally binding contract once signed by both parties, so make sure you have everything you want in it and expect from the assessment.

1.    Scope; as mentioned in part 2, you should define your scope and perform your own “Internal payment systems and card holder data scoping project.  You should have your scope well defined prior to engaging a QSA. But for argument sake, let's say you have not performed a scoping project and mapped out your card holder data environment. This is unfortunately normal for many organizations prior to engaging a QSA for the first time.

The QSA's that you engage with during the initial phase of your assessing them, should be able to provide you enough guidance on how to get pretty close. Part of that help should also come from any vendors that provide solutions you may use (i.e. Micros). However keep in mind that the QSA's will push back by saying, “We can't really give you an accurate quote or how to scope the assessment without either being there to assess it or reviewing visio diagrams, CHD flow charts etc”. This is the classic chicken before the egg problem. But like I said earlier they should at least be able to get you close.

When you make your final selection, down to the final 1, even without a solid scope defined, they should be able to give you a soft quote. The next step is get your NDA signed with them so that you can give them visio diagrams, and other relevant detailed documentation so that you can work together to come up with a final and agreed upon scope.

2.    Resources; Make sure you define exactly what resources the QSA plans to dedicate to this engagement, don't let them waffle on this and make sure you have a defined set of QSA's that are dedicated to your assessment.

3.    Deliverables; Other than the obvious, a “Report on Compliance” or assistance in filling a SAQ, make sure there are no assumptions here. My favorite movie line of all time was the comment made in “Under Siege 2” (ok not a great movie) where one of the bad guys asked another whether Steven Segal was dead and did he see the body, the bad guy replied no I didn't see the body but assumed he was dead. The lead bad replied “Assumption is the Mother of all F*up's”. So true. Ok let's move on shall we?

Know exactly what you want to get, and define it, for example I spell out in part of the agreement that the QSA must provide detailed guidance on areas of non-compliance. Translation, they have to work with you on remediation and/ or compensating controls options. Also make sure you list specific documents (data flow charts, compensating control docs) from the assessment you want. Do not assume all documentation they produce they will provide to you. I have heard of some sneaking QSA;s in the past requiring a merchant pay extra on top of the original fee for documents like this.

4.    Schedule; This one is maybe even harder then scoping the assessment, like in everything in I.T. its always going to take 4 times longer than you can ever justify, whether its I.T. busy putting out fires, remediation projects large and small born from area of non compliance or because it's your first time and things came up you just didn't know about.

Make sure you give yourself at least 6 months, regardless of merchant size and especially if it's your first time going through an on-site assessment with a QSA. Hey if you finish 3 months ahead of time great, but if your ROC is due next week and your 3 months out before remediation project or tasks are complete, which scenario do you want to be in?, that's what I thought. Also remember the QSA works for you, and yes they are going to have other clients but he should always try to accommodate your schedule.

Make sure you define the phases of the assessment, and the end of the assessment time-line. Refer to and define the end of the assessment time-line is that agreed upon time frame that you and the QSA make the final draft work on the ROC. This needs to be formalized on when you expect the first draft ROC from them, when you get it back to them with your changes when they get that revision back to you and so, that way you're not confused at the end and can get your ROC to the bank in time.

5.    Cost; This of course is going to be based primarily off of the scope, that's why I can't say loud enough how important that is, but make sure you have in the SOW how they plan to price things if you start to go way outside the original scope, whether its fixed (expect a higher quote with this option) or fixed hourly pricing. Also if you're a retail outlet and got stores all over the place you need to define how many (don't forget off-site DR facilities) sites they need to visit and perform an on-site assessment. See “Infosec-rusch Travel Incidentals (2009-2010)v4.xlsx” in the docs section of my site.




More...