NOTE: PCI DSS compliance with it is mandated by the contracts merchants sign with the card brands (Visa, MasterCard, etc.) and the banks that handle their payment processing. In a few states it is also a law.
We asked recognized expert Jeff Hall, how PCI DSS 4.0 rule changes regarding ASVs might impact various businesses.
The PCI SSC decided that QSAs cannot use CCWs in place of ASV scans.
Unbeknownst to all but QSAs and ASVs, the PCI Security Standards Council early this year told those parties that a compensating control worksheet (CCW) could no longer be used to address missing ASV scans and QSAs were directed to judge organizations with missing ASV scans as non-compliant.
According to Jeff, “Where QSAs are struggling with this decision is where organizations are conducting monthly vulnerability scans using the scanning vendor’s PCI scanning rule set and neglect to flag/indicate that the scan is to be considered a quarterly ASV scan and therefore do not generate an ASV certificate. From a technical perspective, the scan is conducted exactly like the ASV scan. It is just missing the ASV certificate. In the case of Truvantis, almost all of our clients run monthly external vulnerability scans using their scanning vendor’s PCI scanning rule set.
An argument is being made to the Council that this situation would qualify as a ‘technical constraint’ under the CCW criteria because a check box was missed that caused a scan to not be an ASV scan. We have no idea if the Council will agree with that assessment of this situation, so time will tell.
In the meantime, until the Council weighs in on that CCW decision, be prepared to face a non-compliant judgment if you are missing one or more ASV scans.”
What does a QSA do?
“Well, you review documentation and you file it away in the right buckets under the assessment you're doing, and then you write up the requisite language around it to complete the assessment.
And you do that until you complete the assessment. Some assessments for example, take quite a while because they have to hit all, what is it, 400 and some odd tests, versus somebody only doing sections six, two, 11 and 12, because the rest of it is on some other party. For example, they're just developing stuff. They're not they're not actually running it. Their customer runs it in operation.
If you're a merchant. If your Target Walmart, whatever, you have an e-commerce site that you operate and that site has to be scanned at least quarterly by an ASV.
And the way that usually works, John, is you've got a third party, like a Qualys or Tenable somebody like that where you go into their portal and you would tell them to run and a quarterly ASV scan.
Now with Qualys and Tenable however, you can actually schedule these scans and most people have them scheduled to run monthly. But every quarter you have to manually go in and flag that scan. You actually have to manually tick a box and say this time it's an ASV scan.
The best example I can give you is an organization doing monthly scans, who recently lost the security guy who was ticking that box and hence they forgot to tick that box twice in a year. They only had two ASV scans, not four, but they did have 12 monthly scans. In theory they had done the quarterly scan. They just didn't have the magical certificate that says it was an ASV scan even though they used the same policy as the ASV scan. It just didn't have the box checked.”
Do you think this is a fair thing for the SCC to do? What's the working relationship between the PCI SCC and the QSAs? Do you think they really understand what you guys do?
For the answer to this question and more from Jeff, please listen to the full podcast.
If you have questions or would like help with PCI DSS 4.0 please contact Truvantis today.
- PCI DSS: Payment Card Industry Data Security Standards
- PCI SSC: PCI Security Standards Council
- QSA: Qualified Security Assessor
- ASV: Approved Scanning Vendor
- SAQ: Self-assessment questionnaire – Level 2 or lower
- ROC: Report on Compliance
Truvantis is a cybersecurity consulting organization with comprehensive expertise in implementing, testing, auditing, and operating information security, privacy and compliance programs. We specialize in helping our clients improve their cybersecurity posture through practical, effective, and actional programs – balancing security, technology, business impact
CISA, CISM, CDPSE, PCI QSA
Jeff Hall is a Principal Security Consultant at Truvantis and was the founding President of the Minnesota InfraGard chapter, the public/private partnership between businesses and the US Federal Bureau of Investigation (FBI).
Jeff is a skilled project manager and has delivered PCI DSS compliance projects that others thought were impossible. He is also an accomplished writer and communicator with a popular blog and has a busy speaking engagements calendar at various conferences and symposia.
Jeff’s latest book, The Definitive Guide to PCI DSS Version 4: Documentation, Compliance, and Management written in partnership with the PCI Dream Team, is available now on Amazon.