PCI is probably one of the few compliance programs out there equipped with a compliance validation toolbox. In this newsletter I would like to briefly cover the content of this toolbox.
ASV network vulnerability scans
This tool has been specifically designed to help organizations meeting one particular requirement of PCI DSS (11.2.2).
"Perform quarterly external vulnerability scans via an Approved Scanning Vendor (ASV), approved by the Payment Card Industry Security Standards Council (PCI SSC)."
PCI requires the external network scans to be performed by security companies qualified by PCIco on an annual basis (Approved Scanning Vendors).
The scope of the external vulnerability scan must include all externally accessible system components that are part of the cardholder data environment. It should also include any externally-facing component that provides a path to the cardholder data environment.
The scan customer is responsible for defining the scope of the external vulnerability scan. If an account data compromise occurs via an externally facing system component not included in the scan, the scan customer is responsible.
ASVs are to validate any IP addresses found during the scan with the scan customer to determine whether or not they should be included within the scope of the assessment.
ASV scan report consists in three parts:
- An attestation of compliance (AOC) (global compliance attestation)
- An executive summary (component compliance summary information)
- A detailed vulnerability report (detailed list of vulnerabilities)
- A passing result is obtained when the scan report does not contain any high or medium severity vulnerabilities, as well as no automatic failures as defined byPCIco
- To be considered compliant an organization must pass four consecutive ASV scans within twelve months
The self-assessment questionnaire often referred to as the S-A-Q allows organizations to self-evaluate their compliance with PCI DSS. This is a useful tool to determine, document and follow up alignment with the standard.
Actually, there is a specific SAQ version for each merchant "type" (see PCI 30 sec newsletter #5). Each SAQ covers only PCI sections and requirements relevant to the corresponding merchant type.
The SAQ consists of two parts:
- Questions correlating to the PCI DSS requirements
- Attestation of Compliance (AOC) or self-certification that a company is eligible to complete a specific SAQ type
The different SAQ versions were originally designed to be filled out by hand and were only available in PDF format; however, the current official edition is available in both PDF and word format. Beside these official formats, I currently maintain a composite Excel version combining all the self-assessment types into one sheet (see references) and there are online SAQs platforms available that facilitate completion of your self-assessment.
This tool is a thorough assessment performed within organizations to validate their adherence to the standard.
Such assessments must be conducted by qualified external (QSAs) or internal security auditors (ISAs) trained and approved by PCIco.
If internal individuals are used, the key thing is that they must belong to an internal audit organization. For obvious independency reasons IT staff or information security staff could not perform the assessment.
On-site audit includes:
- Validation of the scope of the cardholder data environment
- Verification of all technical and procedural documentation
- Confirmation that every PCI DSS requirement has been met
- Evaluation, acceptance or rejection of compensating controls
- Production of the Report on Compliance (ROC)
Which tools are relevant for my organization?
If the validation rules are specific to each payment brand, they are all based on the merchant "levels" (see PCI 30 sec newsletter #4).
Depending on your level you will either need to go through an annual on-site audit or complete the SAQ appropriate to your type (PCI 30 secnewsletter #5). It is highly recommended that entities that must go through an annual on-site audit also complete the SAQ as a preparation for the on-site inspection.
In addition, nearly all organizations must present passing results of quarterly network perimeter scans, which have to be performed by approved scanning vendors (ASV).
- The best way to know what validation tools you are subjected to is to refer to your acquirer(s).
- VISA Canada is requiring Level 2 and 3 merchants to validate their SAQs with a QSA. Personally I don't see any QSA endorsing a SAQ without a thorough inspection so I don't see any difference between this validation and an on-site audit, particularly in terms of cost for the entities subjected to compliance. If you have any information about this topic, please let us know in the comments section.
PCI reference page about PCI assessors (QSAs, ASVs,ISAs):
SAQs instruction and guidelines:
Unofficial SAQ excel sheet:
Mastercard PCI validation requirements:
Visa validation requirements:
Amex validation requirements:
JBC validation requirements