The PCI DSS compliance model depends on risk assessment and mitigation. Several places in the Report on Compliance (ROC), that a QSA compiles, have questions about when the Risk Assessment, and its corollary, the Incident Response Plan, were last updated. Also, whether they were updated for recent issues, or “developments” in the industry?
“Developments” doesn’t always mean a good thing, new methods of attack from the hacker community are developments, just as much as a new heuristic, or AI tool, is to detect them.
PCI DSS tells us to validate the specific plans in the IRP to deal with any incidents. We were taught, in QSA class, that each unmitigated risk in the RA had to have a corresponding entry in the IRP.
Over the last couple of years as an industry we have had major issues with massive DDoS attacks, ransomware, DNS provider hijacking and, more recently, Spectre and Meltdown. Not to mention the run of the mill announcements from nearly every vendor about nearly every product.
When I am assessing whether documents have been “recently updated”, I look for all those issues to be called out. In my opinion, the Risk Assessment is not complete without them. Especially because Spectre and Meltdown had no stable vendor response at first, they should be considered higher risks and each organization has to consider what other compensating controls might be necessary to mitigate the risks they present.
There is another issue here, too, in that while the PCI DSS standard and ROC testing procedures only talk about critical patches being installed within 30 days of vendor release, they are really asking for remediation for a high-risk vulnerability within the 30 days of announcement, even if there’s no formal patch available. This could mean putting in a compensating control until there is a formal patch available.
When I can’t find industry-wide major announcements in either the RA or the IRP, I begin to look deeper to what else might have been missed. Please don’t become non-compliant because your radar is not attuned to the vulnerability announcements the way Requirements 6.1, 12.2 and 12.10 prescribe.