What You Need to Know About Compliance Validation

By Greg Johnson, PCIP – CEO, Webcheck Security


Since 2006 I have been privileged, through various roles and in good companies, to counsel with and advise service providers and merchants alike in regard to PCI compliance. This article is to clear the fog and lay out the facts for you as a service provider so your validation requirements are clear.


First, let’s define what I mean when I say “service provider.” This is a blanket term which can encompass Independent Software Vendors or ISV’s, payment gateways, payment facilitators, vertical market Software-as-a-Service (SaaS) applications which as a value add or main function, offer card payment processing.


A classic example of this is QuickBooks. Quickbooks is really all about accounting, but in later years added (and wonderfully so) the ability to invoice and accept payments. An example of a vertical value-add application is foreUP golf course and club management software. ForeUP has, as its core function, the management of the course and pro shops, but accesses payment partners such as Worldpay and others in its software to facilitate payments.


I could probably list thousands of examples from text messaging apps to dental office management systems to sports applications – some of which may not touch the card data due to redirects or other methods – but all of which have a PCI validation responsibility.


Concept #1 – Over or Under 300,000 Transactions

There are two main ways to validate your compliance: Self-Assessment Questionnaire (SAQ) or Qualified Security Assessor (QSA) audit. Simply, if you as a service provider store, process, or even transmit (transmit=card data traverses even a piece of your infrastructure) over 300,000 transactions per year, then you will be on Visa’s radar. With this, as enforced through your processing partner, and must hire a QSA firm to perform and pass a Level 1 Service Provider PCI Audit. (See https://usa.visa.com/dam/VCOM/download/merchants/data-security-compliane-service-providers.pdf)


Concept #2 – Do You Want to be On The List?

Visa maintains a global registry of service providers which all service providers can register for and appear on once they can pass the PCI audit from a QSA and produce a Report on Compliance(ROC). (See https://usa.visa.com/splisting/splistingindex.html) Level 2 service providers, or those facilitating or processing less than 300,000 transactions per year, can choose to get on the list for business or sales enablement purposes. They must be prepared to spend the money required to prepare for, pass a level 1 audit and pay the registration fee. Typical QSA audits will range from $17k to $25k depending on size, scope and locations, and the Visa fee changes from time to time but has traditionally been $10k.


Concept #3 – SAQ D – Service Providers

Most of you reading this article as service providers will fall in the level 2 or self-assessment category. You may not care to be listed on the Visa Global Registry, you just want to demonstrate your compliance because you’ve been asked by clients, partners, and most importantly, your processor or acquiring bank (also known as acquirers).


There’s a good news/bad news component here. The good news? You get to self-assess! The bad news, there is only one option for service providers, and that is the SAQ D – Service Providers, or the self-assessment questionnaire for service providers. This questionnaire represents the full PCI DSS controls and can take some time to comply. Even if your technology redirects or uses an online end-to-end encryption, etc., you must still use this SAQ.


Now there is another element of good news here however for SAQ D – Service Providers folk, and that is that if you are redirecting or using cardholder data environment scope-reducing technologies, you may be able to answer some of the questions as “NA” if you have an adequate description of why.



Let’s Be Clear – Proof


To be clear about demonstration of validation however, even if you are in the self-assessing category, the hard reality is you will find it hard to educate some clients and partners without solid third-party validation proof.


"Most aquirers will require that you demonstrate a passing annual penetration test and that you are enrolled in an ASV-approved vulnerability scanning program and are passing your scans."


For that reason, most aquirers (your payment partners) will require that you demonstrate a passing annual penetration test and that you are enrolled in an ASV-approved vulnerability scanning program and are passing your scans (services provided by Webcheck Security). Pen tests and scans aren’t nearly as costly as the full PCI audits for small service providers, and can be performed, remediated and passed with relative ease.


Indeed, the SAQ D requires quarterly scanning and annual penetration testing anyway. (Requirements 11.2 and 11.3) A service provider may say, “Well we don’t process the card data – we call the processor’s gateway and their form presents directly to the merchant or user, and the card data never touches or network or cloud….” You’ll still find it hard still to make that argument without security validation by a third party (scanning and pen testing).


A final word on security best practices is that even if the scenario above is true, meaning your payment facilitation doesn’t touch the card data, please remember that servers and processes can still be hijacked, compromised, redirected etc., so why not just put all doubt to rest and present inquiring parties with your scan and test attestations? You will facilitate business and demonstrate your compliance.


Summary

If you are a service provider doing over 300,000 transactions per year, you’ll need a Level 1 Service Provider Assessment performed by a Qualified Security Assessor. If you’re Level 2, which is everything under 300,000 transactions, you may self-assess using the SAQ D – Service Providers, but you will still be required to demonstrate an annual penetration test and quarterly scanning, along with passing SAQ. Finally, Level 2 Service Providers can elect to be seen on the Visa Global Registry of Service Providers, but to do so they will have to pass a Level 1 Assessment.


For questions about this article, please reach out to us and we will be happy to respond!

Why has NIST been creating such a buzz lately? Earlier in the year I attended an invitation-only presentation hosted by the regional office of the FBI; a presentation given annually to all movers and shakers in the cyber community. It proved to be a most excellent presentation and an eye opener!


 


I’ll get to NIST in a minute – but first some stats:


  • The annual cost to the U.S. economy of counterfeit goods, pirated software, and theft of trade secrets is between $225 billion and $600 billion.

  • To achieve its strategic goals, China relies on various state-directed plans. These plans provide insight into the kinds of intellectual property and trade secrets the country targets and seeks to acquire from foreign sources. At present, China’s government has as many as 100 plans guiding China’s foreign acquisition in science and technology, and their scale and influence are impressive. Two of the most important among these plans include the 13th Five-Year Plan and the Made in China 2025 Plan.

  • The Made in China 2025 Plan lists 10 domestic Chinese industries in which China seeks to significantly reduce its reliance on foreign-produced technology and develop 70% of the components for these projects in China.

These include:

  • Computer numerical control machine tools and robotics

  • Aerospace equipment 

  • Electric power equipment

  • Marine engineering equipment and high-tech ships 

  • Agricultural equipment

  • Advanced rail transportation equipment

  • New materials

  • Energy-efficient and new-energy automobiles

  • Biomedicine and high-performance medical instruments


This article could go on for several pages, listing specific cases and cyber thefts (as well as physical theft) and I haven’t even discussed what’s happening from Iran and other states. One Security Operations Manager recently showed me the Iran-origination IPs that had been attacking his clients - but now to the NIST connection.


 The National Institute of Standards and Technology has been releasing cybersecurity frameworks and guidelines since 2003 to protect the nations interests and infrastructure. 


Regarding the stats above, DFARS or NIST 800-171 is a set of standards that define how to safeguard and distribute material deemed sensitive but not classified. NIST 800-171 was developed after FISMA (Federal Information Security Management Act) was passed in 2003, resulting in several security standards and guidelines.


Many subcontractors in the private sector manufacture widgets, devices, or have processes, intellectual property and technologies that relate to many of the desirable components listed above. NIST is a standard of compliance that can provide government or private sector contractors with some assurance that their business, data, processes and technologies are operating at an acceptable level of security. 


Problem is, many good companies – even multi-million dollar ones – have good IT personnel, but lack the resources to assess, remediate and maintain the appropriate controls, policies and procedures. 


Here are three key actions which are not difficult to complete:


  1. Get a NIST Control Gap Assessment.  At a fraction of a percentage of the cost of fines, fees, business loss and all costs associated with serious data breach incidents, this is a must-do investment. 

  2. Hire a Reputable Penetration Test Company. How “hackable” are you not only from the outside, but from the inside? A good external and internal test (and web application if applicable) is a small price to pay to know the answer. Indeed, it is a control found in NIST and all cybersecurity frameworks. 

  3. Engage a Fractional CISO to Kick Off Your Cyber Roadmap. A Chief Information Security Officer is usually not found in many companies, even as they approach $1 billion in revenue. It is critical to engage with an experienced contractor, with years of senior experience, who has the ability to align business interests and protect its assets with NIST or other frameworks. 



There are many tactical activities which will result from the three simple actions above. The immense change in an organization’s cyber posture will exponentially accelerate upon their completion.



By Greg Johnson, CEO Webcheck Security




Customer Experience or “CX” as it is commonly referred to, is not often associated with penetration testing and other cyber services. In fact, penetration testing is such a technical field of study and execution that rarely are the two connected. Rather it becomes about the targets being tested and the nature of the application code base, REST API or the Linux and Windows systems. These things are important, but not the only success factors in quality service delivery.


Competent testers, with sound methodology rooted in OWASP, ISECOM OSTTM or NIST, are also important, but to use one of my favorite analogies, what good is a brilliant doctor if his callous and aloof nature prevents him from really helping you? The theories and knowledge floating around his mind must translate into treatment in a meaningful way – and so it is with penetration testing!


In building a world-class penetration testing company, I realized early on that for pen testing and other services to truly be successful, the customer experience matters. From project scoping and engagement, to project kickoff, execution and reporting, there is more to success than throwing a report over the wall with a few findings and saying, “thank you for your business!”


To underscore the point, I have observed how other organizations deliver their service. Some have very little concern for client deadlines and peculiarities, desiring that all engagements fit within a tidy box. One common service element in such organizations is the actual delivery of the penetration test itself in this manner: The report is sent with very little explanation or assistance, and no offer of follow-up consultation. Further, when more information is required about how certain exploits were effectively executed, often the communication skills are lacking.


Hence, I decided that in my organization, penetration testers would be hired only if they could talk, write and care. Further, they had to have an “affability quotient.” That means they are not only pleasant to talk to but proactively helpful, taking initiative to alert the client to other conclusions or concerns down the road. We go the extra mile to schedule conferences to discuss results and remediation advice.


In the scenario described above, you have the “physician” that is not only smart, but that cares and shares with the “patient” in a meaningful way. To facilitate the “Big CX” at Webcheck Security, we built therefore several key elements into our process with every test.


Step 0 – Hire people who can talk, write, and care.

Step 1 – Discover client drivers, objectives, compliances, and test peculiarities.

Step 2 – Make it easy to engage – sign and go, pay by credit card or ACH.

Step 3 – Kickoff the project well. Hold a logistics and kickoff call to properly coordinate.

Step 4 - During the test, provide updates and information, particularly for critical findings.

Step 5 – Write clearly, include screenshots, categorize findings, offer Executive Summary.

Step 6 – Include remediation testing.

Step 7 – Offer post-test consultation.


Each of these steps is important. Oddly enough, many companies offering penetration testing and other cyber services do not perform well in any of the steps outlined above. Those companies provides a certified engineer to test, but all bets are off on the other qualities, processes, and skills.


I am aware of a particular cyber assessment company, whose client demonstrated frustration and dismay over a particular engagement. The contracted testers had indeed pivoted into a trusted network segment, but could not provide adequate details to suggest how they did it. In that case, the testers were skilled, but not so adept at the communication part, rendering the result almost useless!


At the end of the day, the client wants to know where the holes are, how to fix them, and what to prevent. All this in a timely fashion and delivered in an effective manner, by people who care about their success. Customer Experience matters in the delivery of cyber services!

3367 E Castle Cary Circle, Eagle Mountain, Utah, 84405

© 2023 by Polystat. Proudly created with Wix.com