PCI DSS Level 1 Assessments: Taming the Beast
Introduction
Let’s face it when you compare the v3.2.1 Report On Compliance (ROC) Template with the incumbent v4.0 iteration, it is a beast of a document. The page length alone has increased by circa 166% and the assessments are now very much focused on having referenced evidenced to support the Qualified Security Assessor’s (QSAs) assessment findings.
Consequently, there are now far greater dependencies between parts 1 & 2 of the ROC template,
e.g.,
- Referencing your sample sets that are used as evidence in part 2, to section 4.9 of part 1.
- Referencing your evidence used in the sub-requirements in part 2, to section 6 of part 1:
- Documentary evidence used in support of an assessment finding in part 2, cross-referenced in the table in Part 1, section 6.2.
- Interview evidence used in support of an assessment finding in part 2, cross-referenced in the table in Part 1, section 6.3.
- Observational evidence used in support of an assessment finding in part 2, cross-referenced in the table in Part 1, section 6.4.
- Systems-based evidence used in support of an assessment finding in part 2, cross-referenced in the table in Part 1, section 6.5.
This is only one example of the significant changes that have been introduced as part of the Payment Card Industry Security Standards Council (PCI SSC)’s evolution (some may say revolution) of the level 1 assessment practices.
How will your QSA Company raise the game, to meet these new challenges?
- Expect your QSAs to work longer hours/intensive assessments.
- Charge your clients for the additional time to complete these new assessment requirements.
- Take shortcuts.
- Use an array of manual practices (e.g., multi-screens, spreadsheets with macros, comprehensive notes, copy and paste, etc.).
Let me introduce you to a brand-new application, which has been exclusively designed for QSAs, to help them using technology to ‘Tame the Beast’:
27k1’s ROC Management System (RMS).
The net benefits, amongst others, of investing in the use of such technology include:
- Reducing the time-wasted from the continual flipping between parts 1 and part 2.
- Improved harmonization.
- Improved efficiency.
- Reduce error-rates.
- Automation of manual tasks.
- Reduced stress.
- Enhanced quality.
- Completion tracking.
- Integrated Quality Assurance.
- Enhanced consistency.
- Time-efficiency.
- Integration of the evidence referencing (Part 1) with the assessment findings (Part 2).
Evidence-Focused Assessments
In much the same way as a police investigation would expect all the evidence to be referenced in support of an investigator’s findings, in PCI DSS v4.0 level 1 assessments, the expectations are the same. As you can see from figures 1 & 2, for every assessment finding there needs to be a reference to the supporting evidence, which has been generated by the QSA.
Figure 1: Page vi, PCI DSS v4.0 ROC Template r1: ROC Template Instructions, dated December 2022
Figure 2: Evidence Referencing
The new evidence-focused assessments are not only laborious and time-consuming but can lead to errors.
This is where some of the features within 27k1’s ROC Management System come into play. Imagine a world where the evidencing requirement has been harmonised so that this significant proportion of the new ROC assessment practices have become a seamless practice.
- No more time wasted flitting between parts 1 and parts 2 of the PCI DSS v4.0 ROC template.
- No longer needing to take notes of the assessment finding that you were working on, so that you don’t forget, when moving between part 2 and part 1, to add the cross-reference.
27K1 RMS: A Gamechanger for Evidence Referencing
No doubt there’s going to be ‘old and bold’ naysayers that will be defiant in their beliefs that they can create their own ‘manual’ or ‘inhouse’ ways of simplifying this practice, or that you can simply adapt your existing v3.2.1 practices, or the ‘penny pinchers’ that don’t see the value of investing in such a solution.
“We successfully adapted from v2.0 to v3.0, without the need for any investment in a COTS solution.
I don’t see any need to do so now!”
Or
Perhaps, as happens with most QSA Companies, you are far too busy scrambling (figure 3) to get your existing clients through their last v3.2.1 assessments (before the cutoff date) to even have had the time to investigate the potential implications of the new v4.0 assessment practices.
Figure 3: The Life of a QSA as PCI DSS v3.2.1 nears retirement.
If you are one of these people, then you may not be interested in reading on any further. However, for those of you who are concerned about how you will balance your high standards, whilst minimising the impact on your customers and your QSAs, or if you are just openminded or intrigued as to how 27K1’s RMS approach this issue, please do read on.
Using technology, 27K1’s RMS enables the QSA to seamlessly reference the supporting evidence by integrating the frontend (Part 1) with the backend (Part 2) of the ROC template.
Let’s have a look to see this in action.
Preparation & Planning
Prior to the commencement of the v4.0 assessment (example shown in Figure 4), the QSAC would create four spreadsheet-based evidence worksheets, which have been designed to align with the Section 6 table formats.
Figure 1: Evidence Worksheets
Phased Assessments
As the QSA, you may wish to break your client assessment into phases, e.g.,
- Phase 1: Documentation Reviews.
- Identify all the applicable PCI DSS Requirements that require a supporting piece of documentary evidence.
- Based upon the assessment scope, provide the client with a comprehensive list of required documentation.
- On receipt of the documentation, carry out a review and complete the supporting document review log.
- Upload the content of the documentation review log to Section 6.2.
- Phase 2: Interviews.
- Identify all the applicable PCI DSS Requirements that require a supporting piece of interview evidence.
- Create an interview plan.
- Carry out interviews.
- Compile interview notes.
- Complete interview evidence log.
- Upload the content of the documentation review log to Section 6.3.
- Phase 3: Observations.
- Identify all the applicable PCI DSS Requirements that require a supporting piece of observatory evidence.
- Cross-reference supporting evidence (Part 1, Section 6.4) whilst completing the assessment findings in part 2.
- Phase 4: Systems Examinations.
- Identify all the applicable PCI DSS Requirements that require a supporting piece of systems evidence.
- Cross-reference supporting evidence (Part 1, Section 6.5) whilst completing the assessment findings in part 2.
Now, as you can see from figure 5, should you wish to organise your assessment into phases (as detailed above) the 27K1 RMS enables you to filter your assessment, based on the evidential types.
Figure 5: Evidence Types Filtering
Integrated Evidence Referencing
Okay so using the 27K1 RMS, the QSA is given the ability to add evidence references at either the frontend or the backend and to instantly cross-reference between the frontend (Part 1, Section 6) and the backend (Part 2, Assessment Finding), as shown in figures 6, 7 & 8:
Figure 6: Frontend Evidence Upload
Figure 7: Backend Evidence Upload
Recommendations
I would highly recommend that any QSA Companies investigate what changes are needed to meet the new demands of delivering a suitable level 1 ROC-based PCI DSS v4.0 assessment and to identify how you’re planning to meet these new challenges, to minimise the impact on your organization, your QSAs and your clients.
Once you have done this, why not get in touch with 27K1.com and request a demo of their RMS to ascertain for yourselves how this could enhance your level 1 assessments, whilst improving your efficiency, saving time and (most importantly) reducing the potential for burnout amongst your QSA teams.
Conclusion
Yes, the level 1 PCI DSS v4.0 assessments requirements from PCI DSS v3.2.1 have changed significantly and without technology this could prove to be extremely burdensome, complex and time consuming for QSA Companies.
However, it doesn’t need to be that way and so 27K1 have designed and developed an application that digitalizes the ROC template so that some time and stress- saving, and quality improvement, features can be incorporated.
The RMS application has been explicitly designed and developed for QSA Companies so that they can be more productive, whilst helping to automate many of the manual processes.
Additionally, all the rules associated with the new ROC template have already been integrated and baked into the features of 27k1’s RMS application.
As shown in figure 9, PCI DSS v4.0 ROC level 1 assessments have added much more weight to the cart and, yes, you could still struggle to move the assessment down the road, using your existing cartwheels, or you could investigate how the new round cartwheels will make your life far easier and efficient.
Figure 9: QSACs – Struggling on With Their Existing Square-wheeled Carts.