PCI Purgatory*

*Updated: Now with Extra Snark!

Let me clarify, I’m not a QSA, ISA or any other type of SA**. But as the senior architect for a security team, I’m usually expected to have the last word on technical implementations. Like many, I’ve been stuck in PCI purgatory since the release of the 3.0 standard. New requirements to interpret, countless discussions with the QSA and the acquirer, arguments with the rest of the organization who barely understand payments and think they get to have an opinion: it makes me want to shred all my own credit cards. In addition to the scoping changes with ecommerce, the Service Provider definition was modified.

Business entity that is not a payment brand, directly involved in the processing, storage, or transmission of cardholder data on behalf of another entity. This also includes companies that provide services that control or could impact the security of cardholder data. Examples include managed service providers that provide managed firewalls, IDS and other services as well as hosting providers and other entities. If an entity provides a service that involves only the provision of public network access—such as a telecommunications company providing just the communication link—the entity would not be considered a service provider for that service (although they may be considered a service provider for other services).
Okay, I admit it, I didn’t pay much attention to this. It didn’t really seem that different. But the devil is in the nuanced PCI details. We recently engaged a contractor who performs third-party security for my organization. He was new to PCI DSS and we wanted to modify our TSP questionnaire to capture PCI DSS status if the partner was capturing payment card data for us and interacting with our payment processor on our behalf, using our merchant ID. He actually READ the new standard, pointing out that these entities were now considered service providers and to my horror, I discovered he was correct. I also realized that EVERYONE seems to be freaking out over this, most getting it completely wrong.

If there was even one iota of doubt left in my mind, this section from the PCI DSS Information Supplement: Third Party Security Assurance resolved it:

Examples of ThirdParty Service Providers

Below are examples of types of services and providers with which an entity may work:

  • Organizations involved in the storage, processing, and/or transmission of cardholder data (CHD). Third-party service providers in this category may include:
    • Call centers
    •  E-commerce payment providers
    •  Organizations that process payments on behalf of the entity, such as a partner or reseller
    • Fraud verification services, credit reporting services, collection agencies
    • Third-party processors
    • Entities offering processing-gateway services
  • Organizations involved in securing cardholder data. TPSPs in this category may include:
    • Companies providing secure destruction of electronic and physical media
    • Secure storage facilities for electronic and physical media
    • Companies that transform cardholder data with tokenization or encryption
    • E-commerce or mobile-application third parties that provide software as a service
    • Key-management providers such as key-injection services or encryption-support organizations (ESO)
  •  Organizations involved in the protection of the cardholder data environment (CDE). TPSPs in this category may include:
    • Infrastructure service providers
    • Managed firewall/router providers
    • Secure data-center hosting providers
    • Monitoring services for critical security alerts such as intrusion-detection systems (IDS), anti- virus, change-detection, compliance monitoring, audit-log monitoring, etc.
  • Organizations that may have incidental access to CHD or the CDE. Incidental access is access that may happen as a consequence of the activity or job. TPSPs in this category may include:
    • Providers of managed IT delivery channels and services
    • Companies providing software development, such as web applications
    • Providers of maintenance services

So stop arguing with reality (and me). Oh and for the record, I don’t care what you, your mom, your dry cleaner, or another merchant thinks about PCI. I love those people who spend 30 minutes going through the standard and think they understand it because they’ve read the words. As most of us know who’ve worked with PCI for any amount of time, it’s a bit like pornography. Everyone has a different definition. As far as security and compliance teams are concerned, the only opinions that matter come from the acquirer, the QSA and the organization’s ISA. Moreover, a security team for an organization usually has thousands of hours of combined experienced in PCI DSS. A non-practitioner offering us “suggestions” is the equivalent of someone offering Misty Copeland advice about her grand jetes after taking one ballet class.

**Qualified Security Assessor, Internal Security Assessor

Tagged , , ,

Leave a Reply

Please log in using one of these methods to post your comment:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

%d bloggers like this: