Standards for the Standard?
July 28th, 2007 by Rob Newby Posted in Compensating Controls, QSA
PCI is confusing. The requirements themselves are simple enough, and aim to strike a balance between business objectives and prescribing network topology. I have found it a useful guideline at CSO-level, even when engineers find it a little frustrating, and upper management are confused by detail.
What PCI has done well however is not to dictate too precisely, to the point where companies can automatically fail because of their configurations. This is done in the form of “compensating controls”. An example of this reached me today via Martin McKeay’s PCI DSS Yahoo! group. The question was around holding non-encrypted credit card data, and how long it was viable to do it for. Now under strit PCI DSS rules, you shouldn’t do this at all. But compensating controls suggest that if you have issues, such as a mainframe that will not support encryption (as posted by Marting in reply) then there are ways of avoiding the penalties
He then goes on to say: “You cannot put in a series of controls you think are okay and hope it will pass the audit. Compensating controls are something that have to be run through the PCI system on an individual basis. The worst part of that is, what gets an okay for one merchant may not get passed for another simply because of the way your auditor presents it. There’s no standard for compensating controls.”
If there’s confusion over parts of PCI, or you don’t think there’s a way to achieve a part of it in your environment, the chances are there’s a compensating control. Your QSA should be aware of all of these and advise accordingly. Personally I would be wary of any QSA affiliated with or creating their own software/hardware solution to address anything but the audit itself as this will create a bias in the report, but the QSA is there to help.
To get the comments ball rolling, I’d like to know 2 things. Should we be trying to standardise compensating controls in some way? If so, how? And, should QSAs be required to be independent?
OK, that’s 3 things.
Disclaimer: I work for a vendor, but it is in no way associated with Aegenis. I am an associate of Heather’s from a previous job and a friend of Mike’s. I do not sell my wares here, or try to push people towards them in my replies.
![[del.icio.us]](http://images.del.icio.us/static/img/delicious.small.gif){kind=small}
3 Responses to “Standards for the Standard?”
By Jeff Hall on Jul 29, 2007
As a QSA and a person that also regularly performs IT general controls assessments, there is no way to standardize compensating controls. You can provide examples of acceptable compensating controls, but you cannot prescribe any one solution as a standard. This is because there are no two organizations are structured/configured the same to implement a so-called ’standard’ compensating control.
And, even if you accept a compensating control one year, it’s likely not functioning the same way the next time you assess it. I’ve seen this happen all of the time, even with organizations that are very diligent about their control environment. The reason is that, typically, compensating controls rely on human intervention/involvement and human beings introduce human error into the control thus causing the compensating control to not function the same the next time it’s assessed.
On the QSA independence issue. QSAs have to act independently, otherwise the program will be viewed by the organizations being assessed as just a marketing scheme by hardware, software and services organizations to get their foot in the door to sell their wares. Since I work for an organization that is overseen by the AICPA, I have no choice but to act independently. However, in the end, those organizations that do not act independently and do not win their client’s trust will lose the client to a provider that provides that independence and trust. So, I think the marketplace will remove those players that do not act independently.
By Michael Dahn on Jul 29, 2007
I think it’s important when picking out a QSA that you ask them up front what their understanding is of compensating controls and how they have applied them in the past.
It would be best if you had an understanding of your compliance state and could ask them direct questions about touch areas of your internal compliance effort.
Picking a QSA is like picking a mechanic. You have to know a little about the work being performed, and it’s always good to have one you like, trust and respect.
By Paul Caloca on Aug 4, 2007
Appendix C Compensating Controls Worksheet provides a QSA the opportunity to describe the compensating controls in the context of a simplified risk analysis. This is an excellent framework as the overall objective is to reduce the risk that credit card data can be compromised. If the compensating control has the effect of greatly reducing the risk of compromise, then the control should pass muster with the card associations and acquirers. Unfortunately, in some of the ROC’s I have read, the QSA has insufficient grasp of how the proposed controls reduce risk. Fortunately, that population of clueless QSA’s is small, but they are still out there, so a strong interview process that includes risk analysis is critical when compensating controls are to be considered.