PCI: State of the Union – #SCW1

Scott Lyons, Josh Marpet, Jeff Man, and Matt Alderman discuss PCI.

Recorded 10.1.19

STATS: Jeff 45% | Scott 8%| Josh 23% |Matt 22% 

PCI Counter: 45

Jeff Man 0:01
This week on security and compliance weekly, we introduce you to our new show in the security weekly network, which is Security and Compliance Weekly. I’m your host, Jeff man. Today we’re going to talk about the highlights of the recent PCI community meeting where they introduced a sneak preview of what’s to come and PCI version 4.0. In our second segment, we are going to discuss news of the week in the world of security and compliance. Stay with us. We’ll be right back.

This is a security weekly production. And now, it’s the show that bridges the requirements of regulations compliance and privacy with those of security, your trusted source for complying with various mandates building effective programs and current compliance news. It’s time for Security and Compliance Weekly.

Today’s organizations face an evolving set of security threats and continually changing compliance requirements. as your business grows, privacy concerns only multiply and add to a dynamic set of priorities. Today’s organizations need to integrate risk security and privacy into a cohesive program online business systems team of seasoned security practitioners work closely with you to assess your security posture, policies, procedures, and technologies providing tailored solutions that are specifically aligned to your business’s risk profile, and ultimately ensure the protection of your brand. To learn more about online business systems go to securityweekly.com/online.

Jeff Man 1:35
Hi, this is your host of security and compliance weekly Jeff, man, I think I talked about PCI so much on security weekly that they finally put me in a corner and gave me my own show

Matt Alderman 1:48
with constraints with constraints.

Jeff Man 1:50
So we’re starting out a new show. This is Episode One of security and compliance weekly. We’re here in studio to kick off this inaugural segment with all of our co-hosts. I’d like to introduce who are going to be the CO hosts which is security and compliance weekly to my left, the CEO of Security Weekly Mr. Matt Alderman.

Matt Alderman 2:07
Hello, everybody. Yes, I do. I’ve done compliance in my days. We’re going to talk GRC and IRM and a couple of new segments today. So it’ll be interesting. Little blast from the past. It’s fun to kind of bring all that together in this new show

Jeff Man 2:21
a blast from the past, and yet it doesn’t seem to go away.

Matt Alderman 2:24
It doesn’t

Jeff Man 2:24
which is why we’re doing a whole show on it.

Matt Alderman 2:26
Right. Right. Which is what that’s what happens with regulations that once they start, they rarely end.

Jeff Man 2:31
That’s right. Also in the studio, our new co-hosts. First I’d like to introduce you to Mr. Scott Lyons. Scott, please introduce yourself to the audience.

Scott Lyons 2:40
Hi, everybody. Scott Lyons. I’m the CEO of Red Lion. We’re a small information security company out of Maryland, and..

Jeff Man 2:50
yeah, tell us your favorite color. Oh, I’m guessing it’s blue

Matt Alderman 2:53
It has red.

Scott Lyons 2:56
It has been blue. It has been blue times usually it is blue.

Jeff Man 2:59
Gotcha. Okay. Also with us in the studio, Mr. Josh Marpet. Josh, introduce yourself.

Josh Marpet 3:05
Hi, Josh Marpat. Let’s see chief operating officer of Red Lion, the guy in the funny hat in a loud voice you see at conferences, and been around the block more than once. Compliance is fun. We talk about compliance and we’re going to talk about compliance for the US, Europe, Asia, Africa, every continent except Antarctica probably. So we’ll have a lot of fun with that.

Jeff Man 3:25
Unless we feel like we shouldn’t be exclusive and we want to include Antarctica.

Josh Marpet 3:30
They have very little compliance regulation there But we can make it happen.

Scott Lyons 3:34
Didn’t they just get an ATM there?

Josh Marpet 3:35
They have they did, but if it’s a Bitcoin ATM, then we can talk compliance. Yes, we can have some fun.

Jeff Man 3:42
So for our inaugural episode, we decided because it just happened a week ago, the PCI community meeting for North America, I was tasked with providing basically a trip report. The PCI community meeting is an annual event. It’s always kind of weird to me, because it’s an opportunity for assessors to get together which is my a good portion of my past I was a QSA for 10 years,

Josh Marpet 4:09
I’m sorry.

Jeff Man 4:10
And yet when I get there, there’s always so many different people there that are doing so many different things with is within this umbrella of PCI, yet they’re more focused on sort of the product side of things point of sale systems, card readers pin pads. So lots of talk about encrypting this and encrypting that and reducing scope here and reducing scope there. But it’s also a chance to meet fellow QSAs, comrades, there was a bunch of people from my company there, my company Online Business Systems. So it’s a chance to catch up with people. And it’s also a chance to find out what’s new and what’s different in PCI.

Matt Alderman 4:51
It’s also a chance for the QSAs to understand the frequently unanswered questions.

Jeff Man 4:58
There is that we’ll get to That. The highlight I guess, what, what was most interesting about the week? Well, the couple days of the conference was they gave a sneak preview of the much anticipated PCI data security Standard Version 4. Now, they, they haven’t released it yet, but they are getting ready to release a draft. In fact, they’re going to release it sometime in October of 2019. And they gave a presentation on what’s what’s new, and what’s different, what we what we can expect to see from PCI version 4, would you like to hear about,

Matt Alderman 5:36
yes, new stuff, changes, deletions, all the above?

Jeff Man 5:41
All the above. One thing that I’ve learned over the years in, in going to these meetings and getting previews of the new versions of the data security standard, that come out, I’ve always over the past years, when version 1.2 came out, and then later 2, and version 3, and so forth. There was always a lot of expectation for lots of change, and then always great disappointment that largely this structure, the standard didn’t change. And, you know, I like many people were frustrated about that for many years, but then kindly, I kind of figured out eventually, okay, there must be a method to the madness. And they sort of addressed that in the introduction to version four, where they said, while they’re making some significant changes, the overall structure of the the data security standards not changing, which means 12 core segments, or 12, requirements.

Matt Alderman 6:39
12 core kind of families with controls to it.

Jeff Man 6:43
Yeah. And if you and I don’t disagree with that, because if you treat it as a framework, and you know, what are the things that you do in a security program, they pretty much stand intact, you know, there are things that you do to do a security program in an organization. So they have this sort of philosophical high-level framework approach. What they are promising a lot of change to is they’re gonna renumber everything, which is always drives everybody crazy,

Matt Alderman 7:11
which means we’ll have blog posts upon blog posts of mapping three to four obvious versions, and

Josh Marpet 7:17
yeah, but in the core of things as a business owner as a QSAs or whatever, why do I care?

Scott Lyons 7:25
That’s a great question.

Josh Marpet 7:26
Not about the renumbering. But right, what changes were made that I care about? Well,

Jeff Man 7:31
funny, you should ask. So this is what they advertise and, and they caveated. And I will extend the caveat that this is in draft form, subject to change subject to approval. In fact, one of the things that they advertised is they’re going to go through not one, but two more review cycles, they did an initial, hey, what would you like to see change that normal?

Josh Marpet 7:53
That’s the whole review cycles like that?

Jeff Man 7:55
No, it’s not really one yet. Usually, it’s just one review cycle, but they’re promising to review cycles. And I think partially, it’s because they’re making such in their minds, significant changes to, to the standard this year. Why you care as an organization is, and I think there’s good news in this for you. They’ve tried to address I think, some key sore spots or sore points for people, not the least of which is in this happened in the last year, year and a half or so when NIST published new guidance on passwords, right, that sort of directly contradicted or were in conflict with what PCI requires.

Scott Lyons 8:38
And we’ll be covering everything at NIST. In a couple episodes, by the way,

Jeff Man 8:43
and probably ongoing.

Matt Alderman 8:47
Yeah,yeah. Because this is gonna go through similar changes, and everything does, yeah, ever everything?

Jeff Man 8:53
Now, they didn’t go into the details of exactly what’s going to change. They just said, they are changing. They are taking into account the NIST guidance for passwords, what they effectively said, or what I heard, subject, all the caveats and everything was claimer

Josh Marpet 9:07
disclaimer! disclaimer! disclaimer!

Jeff Man 9:09
I think what they’re leaning towards is an acknowledgment that if you’re using much longer, stronger, more robust passwords, password, generators, password, you know, key menu, managers, things like that, you can probably not have to do the reset every 90 days. Okay. Not saying that’s going to be in there. But that’s sort of what they were leaning towards, especially when you take into account that in many instances within the card data environment, you’re now required to do multi factor authentication. So they all had said, if you’re doing multi-factor authentication, we’re going to relax a lot on the standard password rules for the price

Matt Alderman 9:49
Is MFA required now? Or is it…

Jeff Man 9:53
MFA is required now for certain access. Okay.

Matt Alderman 9:58
admin access I think?

Jeff Man 9:59
I’m working from memory. Any non-console access into a system

Josh Marpet 10:05

Jeff Man 10:06
Administrative or otherwise requires multi-factor authentication, if you’re going from outside the CDE, into the CDE..

Scott Lyons 10:14
What a CDE?

Jeff Man 10:15
CDE is cardholder data environment,

Scott Lyons 10:17

Jeff Man 10:17
Which is PCI language for what we care about.

Scott Lyons 10:20

Matt Alderman 10:21
The scope,

Jeff Man 10:22
the scope,

Matt Alderman 10:23
the scope.

Jeff Man 10:25
Yeah, anybody that’s trying to log in from outside in, is required to use model factor authentication. It used to be in earlier versions, it was if you were just remotely logging into your network, and you know, you’re at home and you’re logging into your company, you have to do multi-factor authentication. And they sort of, they sort of clarified that, not just into your organization, but into the card data and

Matt Alderman 10:48
Right, because if you’re segmenting your network, to cardholder, data environment and noncardholder data, what they really care about is where the cardholder data stuff is right?

Josh Marpet 11:00
Where are they part of it, they care about that they care about systems with access to that credit they care about? So there’s this there? CDE, and then the CDE, adjacent, which is something that we’ve been pushing on companies, because it’s systems that have access to the CDE systems that are relevant to the CDE API connected to the CDE, etc.

Scott Lyons 11:16
Yeah, cuz the CDE is bound to the rock or the rules of compliance, right? Well,

Josh Marpet 11:20
yes, it’s the CDE is the is where the data is. But there’s other systems that have access to it that are not necessarily inside the CDE, right? Yeah. So there’s, there’s, it’s becoming a part of this, I think about the passwords, this is interesting, is because of the deep parameterization of the networks, you’re now seeing that that is extending inside. It’s not just there’s no perimeter anymore. It’s my network is becoming fuzzier, I think is a good term.

Matt Alderman 11:43
Yeah. And your perimeter is definitely fuzzier.

Josh Marpet 11:45
Your perimeter is just poof, gone.

Matt Alderman 11:47
Right? pretty much gone. And you have all these third party connectors, into these environments, in and out of the environments, right to make some of these systems work. They’re all over the place, right? And so that adjacency, and that interconnectivity, and as we see applications continue to get more decentralized, which potentially are also housing cardholder data door,

Josh Marpet 12:09
Or passing it using light processing

Matt Alderman 12:11
have to come into scope in some form, or factor,

Josh Marpet 12:14
right, unless you’re not talking about things that are multi regulatory, under multi regulatory regimes, where cardholder data is also PII. And so now you’ve got things, okay, I’m going to deal with PCI, but PCI is not the be all and end all. There are other regulatory regimes. And I might have to, you said that they’re, they’re paying attention to NIST. Yep. So whether they’re reacting to it, working with it, dealing with it, something like that, these other regimes are starting to cross over into each other. So it’s, I just wanted to put that in as a side.

Scott Lyons 12:41
So let me let me ask this question, then would putting a ring model on the cardholder data environment be a good thing like ring? ring? Zero? Ring one, ring? Two?

Josh Marpet 12:51
Oh, I thought you’re talking about an engagement ring? No, no, no. I mean, you know,

Jeff Man 12:55
Are you trying to commit to a long term relationship with the card data environment?

Scott Lyons 12:59
I get the jokes. I got it. But what I’m saying is..

Jeff Man 13:03
We don’t know what you’re asking,

Matt Alderman 13:05
you’re talking about levels of trust, right?

Scott Lyons 13:07
Yes. Well, it could be levels of trust, it could be levels of compliance. It could be levels of security could also be levels of connection. Right? So ring zero being those a main environment ring, one being the, the ins and outs of the environment and ring, you know,

Josh Marpet 13:22
the problem is, it’s not as clear cut as that if you’ve got a lambda function, a serverless environment or whatever, that springs up to do one piece of data processing, and then another one goes, it’s like,

Scott Lyons 13:32
Yeah, but then you’re talking about, you’re talking about cloud maturity models to be put on top and that’s a whole another subject.

Matt Alderman 13:38
I’m curious about aspects of that. I mean, you’re obviously we’re talking passwords, authentication, multi-factor is definitely interesting, right? With the NIST guidance changes. How does that impact the PCI DSS from that perspective, which we’re on? I’m curious where they’re gonna go with some of these new technologies like cloud, how they’re going to handle applications that are highly distributed with a lot of API connectivity. I’m curious how…

Jeff Man 14:07
So cloud was something that they called out specifically they had a slide on cloud.

Josh Marpet 14:12
They acknowledged it?

Jeff Man 14:13
They acknowledged it.

Josh Marpet 14:14
It exists to them now?

Jeff Man 14:15
Oh, absolutely. Well, and again, not a whole lot of detail. But what they basically said was, because they get a lot of questions does, you know, how do we deal with cloud, you know, does PCI DSS apply to cloud if we’re outsourcing to a cloud provider? The answer is yes. And the answer is, yes.

Matt Alderman 14:34
If it’s part of your cardholder data environment, the answer has to be yes. The question is, what types of controls above and beyond the cloud providers? Are they now going to look at enforcing for PCI DSS compliance? Right. I think that’s the interesting part because a couple of weeks ago, we’ve had a lot of questions on enterprise security. weakly allow cloud security in where What does cloud do to my security controls? What’s what do the cloud providers do in the shared responsibility model? What things do you have to do above and beyond on your own? Right? So we did this kind of matrix. I talked about the different levels of potential controls that an organization still has to own.

Josh Marpet 15:20
You did the pizza restaurant right?

Matt Alderman 15:22
Kinda.. na, no I didn’t, but similar. Yeah, I mean, I made it a little more specific than the pizza analogy. But what we were trying to really understand was, the cloud providers own a certain level, depending on the type of cloud service, you’re using, Infrastructure as a Service has a lot more requirements on the company, the organization than a platform or to SaaS, right, because a lot of that gets abstracted away. So I think clarification from the PCI Council on those additional types of controls, and they almost have to get a little specific, I think, because more than a little because I as is way different than paths or function or software,

Josh Marpet 16:08
multi-cloud maturity. And when you start doing inter interoperable data loads, and workloads and workflow across multiple different cloud service providers, csps. And then when you start talking about the fact that you’ve got one department of your company doing this, and another department doing that, and they’re interacting with certain pieces of data, the only way that PCI can stay relevant, is because they’re tightly controlling what they care about. They’re tightly controlling, it’s the pan, it’s the card data itself, right? Yeah. And what is it? It’s the name, the pan, the CVV, CVV2, etc. They’ve very tightly controlled the data, they very tightly circumscribed their scope. That’s the only way they can stay relevant, unfortunately. And it’s a good way, don’t get me wrong. But between all the different ways that we’re outsourcing everything under the sun, I mean, we’ve talked to clients that have 1000s of third party vendors. 1000s.

Scott Lyons 16:58
Yeah. And they have no control over them.

Josh Marpet 17:00
They have very, very little cultural, very little control over the..

Scott Lyons 17:04
Besides signing a paper that says, Yeah, we’re not going to tell people about your secrets.

Josh Marpet 17:09
So the only way that PCI stays as strong as it does is because it’s very tightly circumscribing the pieces of data that they care about. Yeah. But the problem is the interactions with other types of data, other types of functions, gets ugly, fast.

Jeff Man 17:22
Yeah, well, and that’s, you know, love or hate PCI. That’s where I think PCI, at least in my experience, over the years, has really made it stand out from any other regulatory standard, because they are actually, this is the data that you care about, this is what you need to protect, rather than whatever your data is, you decide, yeah, and apply all these

Matt Alderman 17:48
But by defining the scope of the data to protect, they can also then prescribe a set of controls on the best way to protect aspects of that environment versus if you look at a privacy regulation will get into private privacy discussions on on later episodes. Yes, right. Where they all vary. They’re all over the board is an email. PII is an IP address PII. Right, I mean, in EU it gets really crazy about

Josh Marpet 18:17
in the US, it gets really crazy. Well, in the US the state laws that are coming up, there’s, there’s 49, I think, breach disclosure laws and notification laws. And they all have different definitions of what’s a breach.

Matt Alderman 18:29
Yeah. That’s just the PII too.

Scott Lyons 18:32
data classification. Yeah, same idea data classification, you would not believe the number of businesses that we’ve run into that don’t even know what data classification is, let alone

Jeff Man 18:43
Actually, I wouldn’t believe it. Because I’ve seen it too, because most companies that I’ve dealt with, they have two classifications data they care about it’s company confidential, and it’s a big huge bucket. Right? And then there’s the stuff.

Scott Lyons 18:59
So it’s almost like a startup medium enterprise mentality of you know, here’s everything that’s us, right. Here’s everything that’s not us. That’s That’s it.

Jeff Man 19:08
And the companies that I’ve dealt with that then came you know, came in because of PCI, this particular type of data you care about, and this is,,

Josh Marpet 19:16
They even get prescribed exactly what data they should be caring about that the pan, the CVV to the credit card data, and they still have problems, understanding where it is, what they’re doing with it, how they’re processing it properly, or not. And all this other stuff.

Jeff Man 19:28
We’re assuming that it hasn’t happened recently, because I haven’t done an assessment recently. But asking a customer, I’m there because of PCI, I’m here because of your credit card data, right? And I would ask a question like, what is the data we care about? Why are we here? What are we trying to secure? And they’d be like,

Josh Marpet 19:45

Jeff Man 19:46

Josh Marpet 19:46
Oh, dear lord. Yeah.

Scott Lyons 19:47
So what?

Jeff Man 19:48
I’d have to prompt them, it’s the credit card. That’s what we’re worried about credit card data.

Josh Marpet 19:54
You need a flash card, credit card data..credit card data..

Matt Alderman 19:57
Yeah, I want more but if I go through the goal The PCI DSS right cloud is going to Tran is going to get address in a couple of a few of the goals, right? Build a maintain a secure network and systems. Cloud gets involved. Yeah, protect card, cardholder data, cloud is going to get involved, maintain a vulnerability management program clouds gonna get involved, right. And I think the definition of a vulnerability actually has to move up the stack as we think about applications and different components, not the traditional operating system, third party software, but it’s gonna have to

Scott Lyons 20:32
So are you talking about vulnerability by itself, are you talking about vulnerability in terms of the pen test?

Matt Alderman 20:38
It’ll get interesting, right? Because the way they define that, so I don’t know that we want to go down that rabbit hole yet implement strong access control into the cloud, into all these API’s and all these services, and regularly monitor and test networks. I mean, cloud has to get layered into those top five goals. Of the six major goals of PCI DSS cloud has to come in, they’re in some form or fashion. So it’ll be interesting to see how they structure so..

Jeff Man 21:07
That’s a good segue to you know, so what they said about cloud was it’s, it’s applicable, and what everybody wants, I think Josh referred to it is, people want to know what they need to do to secure the cloud. Right and and who’s responsible for what Yep. And and this is where you get into the love-hate relationship with the PCI Council. Yeah. They are very adamant about and this is sort of a good news, bad news, good news type of scenario. They are very adamant about not providing concrete, this is what you need to do step A, B, and C, or..

Matt Alderman 21:46
You mean they’re not going to tell us that we need tripwires FIM

Jeff Man 21:49
No, after not after version 1.0. Right. They’ve learned their lesson.

Josh Marpet 21:55
So descriptive, not prescriptive.

Jeff Man 21:57
Well, and so that’s sort of the bad news is they’re not going to tell you but that’s to be expected.

Josh Marpet 22:02
Good news.

Jeff Man 22:03
The know the good news is in the history of PCI, the way it worked, if you were going through an assessment, you are to meet all the different requirements. If you are meeting a requirement, but not the way that it sort of loosely prescribes. You’re still allowed to meet the requirement, but you do it with what’s called a compensating control, right? And the compensating, compensating control is predicated on I sure hope you can filter out the roof construction. The the the compensating control is predicated on having some sort of business or technical restriction that prevents you from doing what PCI prescribes that you do. Right. So what they’ve advertised, and this is sort of the big news is they are sort of more or less scrapping the idea of a compensating control, and they’ve come up with what they’re calling. And let me go to the notes because I don’t want to miss state it. They’re calling it customized implementation. So you have the option of meeting the requirement, the way it’s written, or if you if you’re doing something else, but it meets the requirement, the spirit of the requirement, you’re allowed to just simply meet the requirement, you don’t have to write up a compensating control, you don’t have to have the valid business or technical constraint, you can just simply I don’t do it that way. I do it differently. And that’s going to play out I think, a lot in cloud where people still want to have the cloud detail, meet the goals of the requirement, but it’s just done differently in the cloud. And the council’s not going to ever prescribe. This is how you do it in the cloud or any other technology. They refer you to the expert in the room, which is the QSA.

Matt Alderman 23:54
So that’s gonna put pressure on the QSA.

Jeff Man 23:56
Oh, absolutely. Right. So that’s the good news. Now here’s the bad news right?

Matt Alderman 24:00
Now, what they’re doing is they’re shifting these custom implementations to be interpreted by the USA to determine whether it needs the requirement or it doesn’t.

Jeff Man 24:10
So there’s more..

Matt Alderman 24:12
Oh, okay

Josh Marpet 24:13
But I’ll tell you what it’s gonna do. The QSA is now gonna pass on the cost of that. So the q&a is gonna walk in the door and go, you either write up the compensating controls, same as used to…

Jeff Man 24:22
There are no compensating tools anymore.

Josh Marpet 24:23
It doesn’t matter. You’re gonna write up an explation. You’re gonna write up your explanation of what you did how you did x, okay, if you write it up, I’m going to charge you x, I’m gonna charge you this much for that for that for the assessment. If you want me to write it up, no problem, I’m going to try to x plus or x times two or whatever.

Jeff Man 24:40
So this is where it gets tricky and where everybody was kind of scratching their heads. So it’s kind of what Josh is describing. They are they were stating that the the entity that’s being assessed the merchant, the whoever’s going through this process, they can decide what they’re going to do in terms of costs. Some implementation, right? The assessor gets to determine what the testing procedures will be to validate if what they’re doing as an alternative approach meets it meets the standard or not.

Matt Alderman 25:13
Which adds a customization into the whole QSA process. Because first you have to get that data from the merchant. And then you’re gonna have to decide how you’re going to validate those through your tests, which is going to change the scope client to client right? So think about test..

Scott Lyons 25:31
Tester to tester.

Matt Alderman 25:33
You’re right. Tester to tester.

Josh Marpet 25:34
Each company is going to have a standard set of tests, because it’s going to.. because their insurance.

Jeff Man 25:39
Not necessarily 

Matt Alderman 25:39
Not necessarily

Josh Marpet 25:40
I guarantee..

Matt Alderman 25:41
At some point they will

Josh Marpet 25:46
Because what’s gonna happen is let’s say there’s three different things you have to do what are x y&z and I have three different QSACs – QSA companies, okay, yep. And company one says to do X y&z, we have tests One, two and three. Company two says, For x y&z we have tests 4, 5, and 6, 7, 8, and 9. And his tester says, I’ve got my special test that I run on this stuff, it’s test 10, you know, whatever. And test 10 works fine until they have a breach. And then they come back and they go after the QSA – sees error and omissions insurance. Because remember, now it’s on the QSAC, and the QSA who’s a member or an employee of the QSAC the error and omission insurance company is going to come and say, Well, how did you test for that? That that process that that piece done properly? Well, we have a default test. Is that what you did? No, I did my own special test.

Jeff Man 26:35
Right? Oh, and you’re and you’re picking up on the same thing that I picked up on is how are you going to validate and justify all of this? Because is it going to be the wild wild west, like it’ll talk about on the drive up here, where anything goes?

Matt Alderman 26:48
But it wasn’t the early early days of PCI, because you and I were there in the early early days, right? I was building for it.

Josh Marpet 26:55
(They’re old)

Matt Alderman 26:55
opoYeah, I am old.

Scott Lyons 26:56
I love being the youngest one in the room.

Matt Alderman 26:58
The next time I’m in studio, and you’ll all know how old I am. But when we were building the early program, when I was at Accu bond, right, it was kind of the Wild West, it was PCI one dot o 1.1. I mean, it was really early, what you’ve seen over the last 15 or so years is that companies have kind of built, how they’re going to test for the report on compliance, right, and the ROC at the end of the day, and they’ve made that really cookie cutter in a statement of work. Now what’s going to happen is that cookie-cutter process that has been matured and refined over the past 15 years, part of that gets thrown out the window, and it’s gonna be the Wild West again. So you’re gonna have like your standards statement of work, then you’re going to have based on any custom implementations, all these variations of how you test against them to produce the report on compliance,

Josh Marpet 27:50
Which is what we were talking about a minute ago, well, if you want me to explain it, no problem, it’s gonna take me three extra weeks, here’s what we’re gonna charge you for that, it’s gonna take a lot of extra time, effort and money

Scott Lyons 27:59
versus me where I’m at chop shop, you know, one-stop shop, you know, shoot, I can do that. And I can do that in 20 minutes versus three weeks in the variance between the data that’s collected for both the tests,

Josh Marpet 28:12
You know, there’s gonna be a raising of QSACs, yeah, it’s gonna be this, get it, you’re not sure that your stuff meets conditions, get this QSAC, they’re going to be easier to get through?

Jeff Man 28:20
Well, and there’s always been at least the perception that if you don’t like the QoS, a company you have, they’re, they’re holding you to the fire in a way that you don’t like you fire him, you go find somebody else’s accepted,

Matt Alderman 28:32
Because you go to the company, we won’t name on this show, because they’ll just cookie-cutter it and push you through the process. Alright,

Scott Lyons 28:39
so the old adage, when you when you are trying to get through to a call center, right, you keep calling until you get the answer you want. Right, right. It The same thing is going to happen here.

Josh Marpet 28:53
Most of the procedures and the shifting nuts, not shifting the blame, but the shifting of the responsibilities that you’re talking about. And the customization availabilities that you’re talking about? It’s going to be much easier for less than ethical individuals and companies to basically pass a lot of risk along to the consumer to the banks, various places like that.

Scott Lyons 29:17
PCI sweatshops?

Josh Marpet 29:18
Well, PCI Well, yeah, I mean,

Scott Lyons 29:20
Like the pen test sweatshops.

Josh Marpet 29:21
The pentest sweatshops that are out there,

Jeff Man 29:23
maybe. But in some ways, I think it’s also and they didn’t say this, but this was sort of the some of the scuttlebutt that was going around people I was talking to, was that maybe this is an attempt for them to try to squash a lot of the cookie cutter. Not not so reputable,

Matt Alderman 29:43
highly commoditized

Jeff Man 29:44
commoditized versions,

Josh Marpet 29:45
such a nice way of saying that, well done.

Jeff Man 29:47
The issues monetize In addition to these are, you know, something does happen. How do you validate that everything was added..

Matt Alderman 29:57
Right? And where’s the blame fall when up Reach happens after QSAC did the report on compliance. I mean, just think about the back and forth again back to the early days when these breaches happen when they were supposedly PCI compliant, but yet they still got breached.

Scott Lyons 30:13
Son of a breach.

Josh Marpet 30:14
breach, I got another one. So So okay, let’s assume that a QSAC comes in, does their whole battery of customized tests that are defaulted to the company, they’re doing it properly. And then there’s a breach the insurance company that the council comes by, like what’s going on? Well, we were tested, we were audited, we were properly done. We were compliant. Bla bla bla,

Jeff Man 30:34
Excuse me, we shall never use that audit word in a discussion of PCI and this show.

Scott Lyons 30:39
What compliant?

Josh Marpet 30:41
No, the word audit.

Jeff Man 30:43
We don’t audit, we assess. Even though the whole PCI community is look they’ve gone over to audit.

Josh Marpet 30:49
My father in law is the CPA of Infosec. Okay, so I understand the difference is audit and access. So I apologize. I he’ll yell at me. And then my wife will…

Jeff Man 30:57
It’s the hill I’m dying on.

Scott Lyons 30:59
Stop on the banging on the subject already ok?

Josh Marpet 31:02
In all seriousness… So here’s the thing, those customized tests for the various pieces of PCI, okay, the first time there’s a breach, everybody’s gonna go, we’ll give us your tests. How did you test right? Those customized tests are not going to be open to the world. And so you can’t claim them as intellectual property. All of the effort you put into them, is now open sourced effectively. And it’s going to be fascinating to see companies try to hide them.

Jeff Man 31:30
That’s an interesting observation. Because I was wondering, not so much from the breach perspective, but from the PCI Council is supposed to be vetting the QSAs vetting the QSA companies, they review a certain amount of work output, they review the rocks, and they evaluate the assessors. Right? And how do you do that? If all these different assessors are coming up with different types of solutions? How do you standardized and measure that?

Scott Lyons 31:55
One of the main staples of compliance is to try to measure corporate activities on a standardized practice. Right. So if you’re throwing this monkey wrench in, how are you going to validate what is and what is not? The standard practice? Is that is that like…

Jeff Man 32:13
I think that’s part of I mean, how do you evaluate, if you do these things, we acknowledge that you’re meeting the objective of whatever the requirement is, how do you do that, and I’ll put it more succinctly and this is my pet peeve with the with the PCI Council, I was a QSA for 10 years in the days where they accepted work experience to qualify you. They abandoned that with the introduction of version 3, so 5-6 ago, and they first started requiring that you had to have a CISSP certification. In the last year they’ve added a second certification. CISA, information security auditor. Yeah, even they’ve caved to the whole concept of audit. My question is simply, and this was the first question. I thought when they pitch this is like, Huh, I wonder what certification they’re going to add. Now that’s going to qualify people to go out and make all these really intelligent decisions about what’s a valid alternative customer approach? And how do you test its validity,

Scott Lyons 33:15
security plus,

Josh Marpet 33:16
I’m gonna hit you. Do you know when it’s gonna be seriously, JD? Because not only are you going to have to write these tests, validate that these tests are valid and reliable, very important. But you’ve also got to get them past legal. Because remember, the minute that you write a customized test to certify or assess that a company is doing something proper within PCI, the minute a breach happens the minute a problem happens the minute anything happens, it’s going to go to court,

Scott Lyons 33:44
well shouldn’t be legal, like it shouldn’t I’m sorry, let me rephrase. Shouldn’t legal be part of the PCI process

Josh Marpet 33:51
but now it’s if the QSA is legal?

Scott Lyons 33:54
I’m talking about the legal for the business

Matt Alderman 33:57
yet, but it’s different.

Josh Marpet 33:58
But its not.

Matt Alderman 33:58
Because now what you’re doing is you’re hiring an external firm to do the certification. Certification responsibility to now sits on the company, that QSA company, the firm, the firm, yeah, and and now that firm has to think about the legal impacts of its customized implementation tests, and whether they will hold up in a court of law.

Josh Marpet 34:20
And so you’re adding costs to the QSAC. You’re adding time to the QSAC. They are not being currently compensated under the current rate. So what we should what I’m hearing is under PCI version four costs for performing your QSAC’s to bring in QSA and perform your assessment. Thank you… are going to go through the roof, you will…

Scott Lyons 34:43
Not just cost, but time as well.

Jeff Man 34:46
If doing the customized approach.

Josh Marpet 34:48
Doesn’t matter.

Matt Alderman 34:49
But I think you’re gonna..

Jeff Man 34:50
No. It does matter if you’re still going by the book going by the book is fine. It’s still commoditized.

Matt Alderman 34:57
It’s where the cloud stuff comes in. Whether it’s levels of interpretation I’m going to be testing this is where it gets, I’m going

Josh Marpet 35:02
I’m going to put $10 down on a bet with you, sir, that the costs once for Oh comes in and people start adjusting to it costs for across the board assessments. Thank you, Jeff, are going to go up period. Now, that being said,

Scott Lyons 35:17
Is there any room for an over under on that?

Josh Marpet 35:20
Sure, go for it.

Jeff Man 35:21
I think the QSA companies out there, there’s certainly business opportunity not only in charging to develop the validation and the testing requirements to validate the customized approach, but I could also see a an advisory service, let us help you craft, what the appropriate custom.

Josh Marpet 35:42
And even if we go,

Matt Alderman 35:44
then we go back to some very interesting separation of duties, right? If you guide them, then you really can’t come in back in and do the assessment, and then we get back into the old discussion of, can a QSA come in and advise and then come in and do the assessment work? Or? Or should they be two separate firms. This is where in the early days, there’s a lot of debate around this in, I think, the later versions addressed aspects of this, but now we’re back into that cycle potentially, again, okay,

Josh Marpet 36:14
I’m betting on a 30% rise in QSA costs, or more across the board. And the reason is, even if you do it by the book, they just like a hospital, I may have you coming in for a big toe boil or whatever, but I’m gonna charge you 50 bucks that aspirin because I got to pay for the guy down the street, you know, the guy in the war down there that can’t afford much. So I’m just gonna raise my cost for everything to level set all of the costs. I’m betting for 30% or more increase, to be honest with you.

Jeff Man 36:41
I don’t disagree with that, I guess I envision you know, a surge, a tsunami that will come.

Josh Marpet 36:47
I don’t know when Don’t get me wrong, and

Jeff Man 36:49
but eventually it will level out and then maybe,

Matt Alderman 36:52
and then PCI 5.0 will change it all again.

Scott Lyons 36:56
You know, I actually want to get in on that and say that and say that price is not going to change. But what is going to change is the level of service.

Josh Marpet 37:06
Oh, no, that’s interesting. I disagree. But that’s interesting. Done.

Scott Lyons 37:11
Okay. That’s easy, right?

Jeff Man 37:12
But done. So stay tuned for a future episode, where we go back and we settle the bet. And we’ll see what is

Matt Alderman 37:19
what else came into the 4.0?

Jeff Man 37:21
That was the highlights, those were the big items.

Matt Alderman 37:24
So passwords and cloud..

Jeff Man 37:26
Passwords, clouds and big one in terms of examples of we’re going to be changing..

Josh Marpet 37:29
the customization

Jeff Man 37:32
is certainly the biggest aspect. And then they reviewed Okay, when’s this all going to happen? So they are in October of 2019. gonna release the draft version of 4.0. For comment, they’re going RFC request for comment, right? So they’re going to have a several month I think, October, November, maybe it’ll close by December, where everybody that’s involved interested can read through it and put in their two cents. They’re going to review that throughout q1 of 2020. And in q2 of 2020, they’re planning for a second round of request for comments. So they’ll put out a revised draft. See if everybody is happy with what they tweet. And then they you know, they’ll never say an exact day, but it seems like they’re tracking towards, you know, q3, q4, second half of 2020 is when they’re gonna drop 4.0.

Scott Lyons 38:22
So when companies are doing their second pen tests for PC

Josh Marpet 38:26
Oh, stop it.

Scott Lyons 38:27
No. Okay. I couldn’t help that. I mean, it’s it’s a great idea, you know, IT companies could should do continuous monitoring, continuous testing. Right. But the question again..

Josh Marpet 38:37
To give context, we had an argument, Jeff and I…

Jeff Man 38:40
There wasn’t an argument. I just had to set you straight.

Josh Marpet 38:43
I was correct.

Jeff Man 38:44
No you weren’t.

Josh Marpet 38:45
Yes, I was there was a draft of PCI 3.2.

Jeff Man 38:50
He found a bill that was found on the drive the first link, and I told you that.

Josh Marpet 38:54
Did you find a draft, I haven’t had a chance I will go find it for you.

Jeff Man 38:57
So I’m not wrong until you find a draft That said, there was a..

Matt Alderman 39:01
It might be in 4.0.

Josh Marpet 39:02
Jeff, has anybody ever called you inflexible?

Scott Lyons 39:05
Jeff, what he’s really saying is he rejects your reality, and he substitutes his own. That works.

Jeff Man 39:12
Well, I went right to the standard and it says annual pentest.

Scott Lyons 39:15

Josh Marpet 39:16
He is technically correct, which is the best kind of correct.

Jeff Man 39:18
Where there is an opportunity for continuous pentesting is the the the or the and or of the requirement is you do an annual pen test and you do a pen test after a significant change to your network or your environment. Okay, which arguably, if in, you know, they’re not..

Matt Alderman 39:36
If your DevOps means often.

Jeff Man 39:40
You know, what constitutes a significant change,

Scott Lyons 39:42
But what constants a pentest as well?

Jeff Man 39:45
Don’t even get me started. Okay. All right.

Josh Marpet 39:47
Let’s close it there.

Jeff Man 39:48
Yes. Lets close it there. So that’s the highlights of the community meeting the introduction to PCI 4.0. We’re going to take a quick break, come back and talk about news from Security and Compliance for the past week.

Translate »