The PCI SSC recently published their Supplemental Validation Requirements for “designated entities”. It formalizes the requirements for on-going, interim control validation for these organizations. Not all entities subject to PCI compliance must perform these activities. Only the Brands (Visa, MasterCard, American Express, Discover, and JCB Intl.) and Acquirers can specify a Merchant as a “designated entity” and the document offers the following as examples for organizations that might be so designated:
- Entities storing large amounts of cardholder data.
- Entities providing aggregation points for cardholder data.
- Entities suffering large-scale and/or recurring breaches resulting in compromise of cardholder data.
These are pretty intuitive as the examples specified are either: lucrative targets given the large volume of cardholder data they handle; or have already experienced a breach resulting in the unauthorized disclosure of cardholder data.
The document includes both new and long-standing requirements (in some cases expanding on the latter), all of which are mapped back to the PCI DSS Requirements:
- 1 (DE.1.1-DE.1.4) Implement a PCI DSS compliance program.
- 2 (DE.2.1-DE.2.6) Document and validate PCI DSS scope
- 3 (DE.3.1-DE.3.3) Validate PCI DSS is incorporated into business-as-usual (BAU) activities.
- 4 (DE.4.1) Control and manage logical access to the cardholder data environment.
- 5 (DE.5.1) Identify and respond to suspicious events.
It is worth noting that some of these validation activities may, in some cases, require significant capital investment (e.g. data discovery technologies) and additional services (e.g. penetration testing). The validation steps for communicating PCI compliance status to the Board and Executive Management are also noteworthy and extremely gratifying as a QSA. From my perspective, this (finally) gives PCI compliance equal footing with, and the same visibility as, many statutory compliance requirements.
Temporally speaking, many of the validation steps have specified intervals. The following are some examples:
- Board and Executive-level communication detailing PCI-related initiatives.
- Evidence of security training.
- Effectiveness review of data discovery methods.
- Hardware and software review to verify all technologies meet PCI requirements.
- Penetration testing to verify segmentation is effective (or after significant change).
- User account and privilege review.
- Scope review and validation (or after significant change).
- Data discovery (or after significant change).
- Business as usual activity reviews.
Much like receiving a preliminary assessment for ASV scans, there is allowance for not having completed all validation steps for the whole year if the “designated entity” is being assessed for these efforts for the first time. The assessed organization need only demonstrate compliance for the most recent timeframe for which the activity is specified. After the initial assessment and going forward, however, the “designated entity” must have the full compliment of evidence required to demonstrate compliance.
GuidePoint Security can assist with the new formalized requirements by performing the following:
- Gap Assessment – Work with “designated entities” to identify gaps in control implementation associated with supporting the SSC’s specified validation steps.
- Advisory Support – Work hand-in-hand with organizations working to comply with the new requirements by providing advisory and consultative support throughout.
- Assessment – Perform annual PCI assessments structured to include verification a “designated entity” performed the required validation steps compliantly.
All in all, this is a significant step forward in evolving PCI DSS to require organizations to incorporate PCI DSS requirements into their everyday processes and limiting some entities from considering PCI DSS as an annual “check the box” activity. These new validation requirements are pretty hefty requirements that will put the onus on “designated entities” to embed PCI compliance activities into day-to-day business operations. Ideally, this additional scrutiny, investment, and effort will, for the “designated entity”, foster a culture of security and elevate control activities to “business as usual”.
About GuidePoint Security
GuidePoint Security, LLC provides customized, innovative and valuable information security solutions and proven cyber security expertise that enable commercial and federal organizations to successfully achieve their security and business goals. By embracing new technologies, GuidePoint Security helps clients recognize the threats, understand the solutions, and mitigate the risks present in their evolving IT environments. Headquartered in Reston, Virginia, GuidePoint Security is a small business, and classification can be found with the System for Award Management (SAM). Learn more at:www.guidepointsecurity.com.