I recently attended the PCI Community Meeting in Arizona this last week. As both a QSA and PA-QSA one of the things I find very interesting when talking to other certified QSA’s and PA-QSA’s is that issues are very consistent across the board. One of these issues I will describe in more detail in the following sections of this blog.
When performing PCI-DSS assessments for my clients who are using PA-DSS validated applications, one of my responsibilities as a QSA is to ensure that the application is installed in accordance with the Implementation Guide. For those of you who do’t know, and I suspect if you are’t a QSA or PA-QSA, you probably do’t, that every PA-DSS validated application MUST have an associated Implementation Guide with it. Even if you want to argue about how the Implementation Guide should be written, what ca’t be argued is what is required to be in it. The following section is literally taken right out the PA-DSS Training Manual is:
It should detail how the customer and/or reseller/integrator should enable security settings within the customers network and should cover how to implement the application within the environment in a PCI DSS compliant manner.
To me that reads, create a comprehensive guide that not only discusses all the requirements of the PA-DSS whether or not the requirement is applicable or not but also explains the 12 requirements of the PCI-DSS and what the client’s responsibility is with regards to the DSS.
It is up to the specific PA-QSA to determine whether or not the guide meets the intent of the requirements. It is amazing to me how many PA-QSA’s blatantly just disregard the Implementation Guide and the requirements for it. As a QSA it is very frustrating walking into an environment, asking the merchant for the PA-DSS Implementation Guide, and receiving a glazed over eye look. It’s even more frustrating when you then ask the Vendor/Reseller for the Implementation Guide and they look at you as if you have 3 heads. However, it’s most frustrating of all when you do finally get your hands on the Implementation Guide, or a document the vendor says is the Implementation Guide, and it is anything but useful. This is a problem I heard time and time again during the community meeting, so I know it is just contained to my customers. I will say this one more time, without a GOOD PA-DSS Implementation Guide it is impossible to know whether or not the application is operating in a PA-DSS/PCI DSS compliant manner and/or what the responsibilities are of the clients with regards to the application (i.e. encryption key changes, password policies, etc).
The scary thing is, is that I have heard a customer that had a PA-DSS validated application tell me one time that they keep the Implementation Guide as slim and as ambiguous as possible to reduce overall liability. I am not sure what type of message is being communicated to vendors by other PA-QSA companies, but certainly this is not the message, as a community, we want to get across.
To sum up, the PCI SSC AQM team has not been reviewing these Implementation Guides in the past and have been leaving it up to the discretion of the individual PA-QSA companies. It sounded from the Community Meeting that moving forward, they will start to address this issue by including them in the quality assurance process. I believe this is the right move and hopefully will start alleviating some of the issues. In addition to this, I feel the SSC should release an example Implementation Guide for PA-QSA’s to reference during the assessments.
To all the PA-QSA’s and PA-QSA companies, start holding yourself and your companies accountable for less than adequate Implementation Guides. For those of you reading this, do’t think it is just small PA-QSA companies making these mistakes, I have reviewed and have submitted inadequate Implementation Guides to the council for applications validated by the quote unquote “Big Boy PCI Consulting Companies”.
Auditing for PCI DSS is ambiguous enough. Let’s not make it even more difficult by making QSA’s perform a scavenger hunt for the mystical Implementation Guide and then when it is found, be completely useless.