PCI DSS: The Data Centre Enigma
"All things are subject to interpretation whichever interpretation prevails at a given time is a function of power and not truth".
Never has a quote been more relevant than in the world of the Payment Card Industry Data Security Standard (PCI DSS).
How frustrating is it for the entity who year on year gets differing interpretations for their annual compliance?
The Payment Card Industry Security Standards Council (PCI SSC) try their best to assist both the Entities and Qualified Security Assessors (QSAs) in clarifying the principles and objectives of the PCI DSS controls, through their Frequently Asked Questions (FAQs) resource (as described in the final chapter of my book on PCI DSS):
However, still we see different QSAs putting their 'own spin' on what is (or what is not) correct and, as a result, entities often get increasingly frustrated and disheartened with maintaining PCI DSS compliance.
None more so, than Data Centre Service Providers!
Although a Data Centre provider may not be directly involved in the processing, storage or transmission of ANY cardholder data, they do have the responsibility for securely housing the systems that support the Cardholder Data Environment (CDE).
Consequently, if the physical security is compromised, an attacker could impact the integrity of the CDE and, potentially enable them to breach the payment card operations.
As a result, as per FAQ 1312, any entity (housing their CDE systems within a 3rd Party Service Providers Data Centre) could be have their PCI DSS compliance impacted, as the result of the Data Centre's compliance status:
Although, this has some wriggle room for interpretation, as well. If you look at the specific PCI DSS 12.8.4 & 12.8.5 controls, this does not stipulate that the entities must use validated PCI DSS compliant Data Centre (only that they monitor the 3rd Party Data Centre's PCI DSS compliance status):
This is further clarified by the content from the PCI DSS, itself, which provides 2 options for validating a Service Providers PCI DSS compliance:
Annual assessment: Service providers can undergo an annual PCI DSS assessment(s) on their own and provide evidence to their customers to demonstrate their compliance, or;
Multiple, on-demand assessments: If they do not undergo their own annual PCI DSS assessments, service providers must undergo assessments upon request of their customers and/or participate in each of their customer’s PCI DSS reviews, with the results of each review provided to the respective customer(s).
Another area that gets subject to a great deal of differences in interpretation is whether a Data Centre should be deemed as a level 1 or level 2 Service Provider.
Next, as a level 1 Merchant or Service Provider (using 3rd party services), Commeth that annual QSA validation of your PCI DSS compliance status.
One year, the QSA reviews the Data Centre's PCI QSA validated AoC against your Responsibility, Accountability, Consulted, Informed (RACI) matrix, to confirm that all the outsourced controls have been QSA validated for PCI DSS compliance.
Another year, the QSA insists on carrying out, yet another, validation of the Data Centre's PCI DSS controls.
Now, imagine the frustration and confusion this causes for a Data Centre that is responsible for providing the Physical Security measures for a variety of PCI DSS entities.
Imagine the difficulty they will have in supporting the PCI DSS compliance requirements for each one of their different entities, to ensure that they can meet the different Card Brands requirements, QSAs expectations and different types of payment card operations (e.g. Data stored, fully outsourced payments (through a PCI DSS compliant 3rd Party PSP) - no data storage, etc.).
The effective management is an essential component of any PCI DSS compliance and needs to be appropriate to the potential for impact (e.g. The aggregation principle).
Unfortunately, despite the additional efforts from the PCI SSC in producing supplementary guidance documents (Information Supplement • Third-Party Security Assurance • March 2016), this has provided limited improvement to this process, with both the Entities and Service Providers remaining subject to the QSAs' interpretations.
Consequently, until this is hopefully addressed in the next iteration of the PCI DSS (v4.0) the recommendations I am able to provide are extremely limited.
However, these recommendations may provide a little help in the complex PCI DSS world of Service Provider/Third Party Management (12.8):
PCI DSS Entities:
Reach out to your Acquiring bank and Card Brands and request formal documented descriptions as to what they would deem to be acceptable.
Work with your 3rd parties to complete and maintain a RACI matrix.
Work with your 3rd parties to ascertain what other industry controls they might be validated against (e.g. ISO27001: Annex 11, ISO27017, CSA STAR, SOC 2, etc.), which could be considered to help assess the real risks.
Reach out to your QSA Company to request formal documented descriptions as to what they would deem to be acceptable.
Ensure that the QSA aligns to this and fulfil their requirement to act in accordance with the PCI SSC's Code of Professional Responsibility:
Now, this is where I really struggle to make recommendations to help ease the frustration for Data Centre owners/managers.
Their very business is to provide the physical infrastructure for their customers and, of course, they want to provide a suitable services that meet their customers' needs but how can they do this when there are so many different interpretations on what is expected?
Clearly, some QSAs may insist that all Data Centres should be regarded as Level 1 (requiring an annual onsite assessment, conducted by a QSA (Why wouldn't they? Isn't it more business for them?).
However, such Data Centres should then not be required to provide additional evidence as part of their level 1 PCI DSS validation.
Consequently, the only recommendations I can offer to the Data Centres are as follows:
Work with your PCI DSS customers to ratify what is the highest level of expectations for validating compliance and align your PCI DSS compliance to match, so that all lower requirements will be covered.
If you have undergone level 1 validation of PCI DSS compliance, reach out to your assessing QSA company and have them speak with any QSA that is questioning the validity of their AoC.
Await the changes that will be included in the release of v4.0, which will hopefully bring more clarity with it.
The current version of PCI DSS presents multiple opportunities for interpretations/misinterpretations which can make life extremely difficult for both the PCI DSS entity being assessed and their outsourced Data Centre operations.
However, by applying an integrated approach between PCI DSS assessed entities, Acquirers, Card Brands, QSA Companies and Data Centre service providers, there is an opportunity to reduce to potential scope for differing interpretations and expectations.
The resulting benefit will make this process smoother, for everyone involved, and will help the Data Centre Service Provider to tailor their compliance efforts to match their PCI DSS customers, Acquirers and Card Brands expectations.
For example, An Acquirer or the Card Brands could deem it acceptable for a Data Centre Service Provider (subject to numerous independent industry security assessments) to validate their PCI DSS compliance, through the completion of an annual Self Assessment Questionnaire - Service Provider (SAQ-SP) and Attestation of Compliance (AoC-SP), without needing to incur the additional expense and resource utilisation of a QSA validation assessment.