The Covid-19 pandemic transformed the consumer shopping landscape. Curbside pickup, online payments, and mobile point-of-sale (PoS) devices became the new normal. Online sales increased by 50%. These shifts in the way we shop have had a big impact on payment security. In 2019, only 27% of organizations were completely compliant with the PCI DSS (by contrast, 52% were compliant in 2017). Numbers for 2020 are still being crunched, but it’s unlikely this number will have improved, as pandemic response plans introduced new technology at a rapid pace, moved workforces remote, and forced budget cuts across the board, including in security and compliance.
While organizational factors like budget, leadership buy-in, and technology ultimately have the biggest impact on PCI compliance, your relationship with your PCI Qualified Security Assessor (QSA) can shape your compliance success. Regular discussions with your PCI QSA on scoping, compliance in the cloud, remote assessments, and security threats can help you achieve compliance more efficiently.
In this blog post, we will look at six questions you should ask your PCI QSA as you prepare for PCI compliance in 2021.
1. Is my scope and compliance burden still appropriate?
You should be having a conversation with your QSA about your PCI scope every year. Your QSA may not initiate this conversation, instead preferring to roll forward the same cardholder data environment (CDE) year over year. But re-evaluating your scope can help you reduce compliance costs and ensure recent changes are addressed.
First, you should talk to your QSA about any enterprise changes that may impact your scope. Maybe your marketing team did a website redesign, and parts of the online payment process are now outsourced. Or perhaps your retail stores added new PoS devices to accommodate curbside pickups. Potentially portions of your CDE have been tokenized. These changes would have an impact on your compliance scope.
Next, have a conversation about cloud. If, like most organizations, you are moving applications to the cloud, you need to consider how this new architecture impacts your PCI scope. Most likely, your scope will shrink as more payment data is managed by cloud service providers. But the move to the cloud also means you’re expanding your CDE. Your CDE is no longer a neat package stored within your organization, but a fragmented environment, distributed across third-party providers. This shift definitely warrants a conversation with your QSA.
Insist on these conversations, even if your QSA prefers to follow the previous year’s plan. Beyond reducing costs and addressing enterprise changes, regularly assessing your scope helps you balance compliance and autonomy. A static scope can limit your security program’s ability to adapt and advance. Annual scoping evaluation can help you maintain the balance your program needs to defend against evolving threats, adapt to shifting business needs, and potentially reduce security and compliance costs, while staying compliant.
2. What is your approach for PCI assessments in the cloud?
In a perfect world, you would work with your QSA before moving any piece of your CDE into the cloud. However, our world is far from perfect. Oftentimes, applications are moved to the cloud quickly, and driven by outcomes unrelated to compliance: enabling a remote workforce, reducing costs, modernizing outdated systems. While these drivers are understandable, they typically mean security and compliance are reduced to an afterthought.
Because of this, you’ll need to work with your QSA to assess your cloud environment. Before you begin your annual compliance activities, it’s important to have an open conversation with your QSA about their approach to cloud assessments. Some QSAs are better prepared than others to assess modern cloud environments. Your goal should be to evaluate whether your QSA is able to apply the requirements of the DSS to your cloud technologies. In the past, QSAs focused on static servers and network devices – ask them how they’ve adapted their sampling techniques and testing methods to cutting-edge cloud technologies (e.g., DevSecOps and Infrastructure-as-a-Service). You don’t want a QSA that is applying the same rigid approach to the cloud. This will result in serious misalignment.
The current version of the PCI DSS doesn’t align well with certain aspects of cloud technology. While there may be hope on the horizon with PCI DSS v4.0, you want a QSA that understands how to apply the current DSS’s requirements and sampling techniques to your new cloud computing technologies, thus ensuring your cloud infrastructure is aligned with current and future compliance requirements.
3. Are we gaining efficiencies now that assessments are 100% remote?
Covid-19 has changed the way everyone works, your QSA included. Most PCI assessments are now completed remotely. While this shift required some adjustments, it has also resulted in a few benefits, including reduced compliance costs. Remote assessments mean no more flights, hotels, or travel expenses from your QSA. If your QSA hasn’t reduced your costs accordingly since the move to remote assessments, it’s time to have a conversation with them.
Beyond reduced costs, your QSA should have technology in place that makes remote assessments run smoothly. They should be using modern applications and testing techniques that provide you with real-time access to findings and knowledge sharing. Some QSAs have begun using self-assessment style questionnaires to help guide the remote assessment process and identify high-risk areas in your programs. Remote assessments shouldn’t mean your QSA is less accessible. The top QSAs have found ways to make remote assessments transparent, seamless, and more cost effective.
4. What are the new or emerging threats to our payment data?
Your QSA should be a resource for you, sharing insights on cyber threats, trends, and changes. If your QSA isn’t giving you regular updates on relevant cyber threats that directly threaten your environment, it’s important that you find a QSA who does. Because most QSAs work with a range of companies, they have valuable insight into the trends and threats that have the biggest impact on organizations like yours.
New threats emerge all the time. In recent months, we’ve seen spikes in ecommerce skimmers. These skimmers are introduced through compromised web servers or third-party features that load malware into the user’s browser (usually JavaScript based). This malware intercepts all traffic input through the web form, and an iframe cannot prevent the data from being captured. We’ve spoken on these types of attacks before (see this blog post here or this webinar over here), but we want to highlight it again. They can stay undetected in your organization for months, quietly stealing critical customer data. Regularly checking for these types of threats in your applications is so important. (Our team has built a tool to help you detect these types of attacks. You can check out their demo here.)
Access issues are also a consistent threat. MFA bypassing has become a popular attack strategy for breaching cloud platforms. Weak service accounts are another valuable target for attackers, providing them with privileged access to devices, applications, and data.
The Covid-19 pandemic has also introduced new challenges. With many call centers and customer support centers closed, customer service employees are working from home and taking payment information in their home offices, requiring new policies and controls. Your QSA should be able to provide strategies to lock down the endpoint for all “work from home” customer service employees.
While all important, the risks above apply generally to payment security. Your QSA should be able to identify threats and risks that are especially applicable to your business and help you remediate any vulnerabilities.
5. How do I compare to your other clients?
As with any compliance initiative, it can be easy to get caught up in “checking boxes” and lose sight of the big picture. Achieving compliance shouldn’t be enough; your organization should also see measurable improvement each year. Benchmarking your progress against others in your industry can be a useful tool, and your QSA should be able to help you with this.
Ask your QSA to provide you with a benchmark or health check. They should be able to provide you with metrics like average days to close a finding or average days to fulfill an evidence request. These metrics help put your compliance program into context. When working in a silo, you can become complacent with your results. Seeing how you stack up to other organizations of similar size and industry can help you identify your problems, minimize time and effort, and reduce costs year over year.
As mentioned earlier, many QSAs are running on auto-pilot. They come in, perform their assessment, deliver their report, and then disappear until next year. They may help you meet your compliance requirements, but they don’t offer any true value to your security organization. Finding a QSA who is there to help you improve your PCI program, not just check boxes, will help you achieve better results, meet the demands of the business, and adapt to changing technologies and threats.
6. PCI DSS version 4.0 is coming. What should I do now?
The PCI DSS v4.0 is set to come out this year. However, you will have 2 years from its release to align with the new standard and an additional 9 months to implement any net new controls. While you don’t need to rush, you should start talking to your QSA about how to plan, as there are a few notable changes, including:
- Replacement of compensating controls with customized approach
- Emphasis on the vulnerability risk ranking process and custom risk assessment to add flexibility to requirements
- Disk encryption cannot be used as the sole method of encryption for non-removable media (e.g., servers and databases)
- Implementation of “anti-phishing” mechanisms and processes
- Elimination of the option to review public facing web applications every 12 months
- Semi-annual privileged account reviews
- Passwords must be at least 12 characters
- MFA required for all access to the CDE (not just administrators) and stronger MFA requirements (single step only)
- All systems and application accounts that can be used interactively must be managed like user accounts
- Hardcoded passwords in custom applications and scripts prohibited
- Checkout page integrity protections (more robust than traditional FIM) to help prevent ecommerce skimmers
- Formal controls for determining and periodically validating PCI DSS scope
While version 4.0 is still being finalized, there are some preliminary ways you can prepare. First, have a conversation with your QSA. Discuss the areas where you will be most impacted, as well as those that will require the most effort from your team. Second, do a quick posture check. This will help you identify areas that will need more work when the time comes. And if you’re feeling really ambitious, you could perform a gap assessment. This will help you build a plan so when the time comes to adapt your program to version 4.0, you’re ready to go.
Each QSA will have a different approach. Some will recommend waiting a year or two, while simultaneously assessing against 4.0 and identifying opportunities for improvement. Others will want to start making updates quickly, while others will want to take advantage of the timeline, implementing changes slowly. It’s important to start having conversations about version 4.0 now to ensure your QSA’s approach aligns with your strategy.
These six questions drive at a fundamental truth: You should have a strong relationship with your QSA. A QSA who is only focused on your annual assessment and ticking boxes doesn’t provide value to your organization and can ultimately leave you exposed to risks. Regular conversations with your QSA about threat trends, regulatory changes, industry shifts, and more help you build a smarter, more efficient PCI program. Like other areas of security, PCI compliance should evolve, and your PCI QSA can help keep your program cutting edge.
Focal Point is a certified PCI QSA and ASV, providing standard services like PCI assessments, but also specialized offerings like PCI compliance in the cloud. If you’re considering a new QSA or just want to learn more about our services, we’d love to have a conversation.
Want more PCI updates in your inbox?
Subscribe to Focal Point's Risk Rundown below - a once-a-month newsletter with templates, webinars, interesting white papers, and news you may have missed. Thousands of your colleagues and competitors have signed up! You can unsubscribe at any time.