I failed my PCI assessment - now what?

As 2017 comes to an end, the latest PCI DSS 3.2 requirements (coming into effect on Feb. 1,  2018) are on the minds of many Service Providers and Merchants. A natural question stemming from these changes is "What do I do if I fail my PCI assessment?" Let's take a look back to a blog written earlier this year that answers just that. 

Are you a Service Provider or a Merchant?

This is an important question because merchants and service providers are accountable to different entities for their PCI DSS compliance. These entities are the people that will need to know about your (temporarily!) failed status and they will want regular communications from you starting now until you successfully complete your compliance assessment.

If you are a merchant, you need to engage your compliance contact or the primary contact at your acquirer.

If you are a service provider and your biggest customers count on your PCI DSS compliance for their own compliance efforts, it’s time to get your organization’s assigned relationship manager (this may be the account manager, salesperson, or client service representative in your organization). The relationship manager will help you communicate your progress to customers and address any concerns they might have. Your customer has stakeholders, and maybe their own QSA to answer to. Keeping your customers informed will help you work through this and maximize your chances of keeping their business.

You should also start work on a written report. Describe what the issue is and what your plan is. It would be great to be able to commit to a timeline for resolution, but at the least you should commit to when the timeline will be known. The more (accurate, confirmed, non-speculative) information you give, the better off you will be. Your partners have better things to do than hound an organization that obviously has the matter well in hand and is looking out for its interests. Non-communication and incomplete, or inaccurate information, will quickly get you on their list of organizations that might not be appropriately managing the risks to cardholder data. 

What, exactly, is the issue?

What is the root cause of your PCI Assessment failure? The details of the failure might not be as important as the root cause when prepping the remedy.

It might be one of the following:

Was it a new requirement that you weren’t aware of?

• Verify that the requirements are actually required and not one of the (temporarily) recommended best practices.
• Remember to pay close attention to the requirement dates and ensure that you are using the right version of the PCI DSS. During the transition between PCI DSS versions, sometimes you can choose which version to work from. In the case of PCI DSS 3.2, a lot of the best practices that were suggested in earlier versions are becoming requirements.
• Ask your QSA about potential compensating controls. Sometimes the risk of not meeting a PCI DSS requirement can be addressed in alternative ways. Be prepared for extra work because use of a compensating control means a new control (not already required by PCI DSS), a risk assessment, paperwork, and a process to manage the new control.

Was it a new interpretation by the QSA?

QSAs are constantly receiving updated guidance on how to interpret the requirements of the PCI DSS via newsletters, security council whitepapers, and updates to the Council’s FAQs. This means that a QSA’s interpretation can change year to year. Or maybe you have a new QSA, and their interpretation is different than last year’s QSA. They might have a new method of investigation and have uncovered an issue.

Ensure the QSA’s interpretation is rock solid

QSAs are people like the rest of us, they can have a bad day and make a mistake too. If you just aren’t sure that your interests are being taken care of after reviewing an interpretation issue with your QSA, here are some additional methods of resolution:

• Ask the Audience: Ask the QSAC (QSA Company) to vet the issue with other QSAs. Sometimes if the QSA just has a chance to discuss it with their peers, they can see a new method for your organization to meet a requirement and achieve compliance.
• Phone a Friend: Call another QSAC and engage them for a consultation on the specific issue at hand. A fresh set of eyes can often uncover some additional controls or some time saving recommendations. Your new consulting QSA can help communicate with your assessing QSA because they speak the same language. Your compliance is at stake, so don’t settle for junior assistance. Insist on someone with years of experience working in a multi-QSA environment.

New components, or payment channels, or business functions in the cardholder data environment

This might sound radical, but if the problem you are trying to solve is in a brand new environment, you might not have to assess the new environment. You may be able to buy yourself some time by only assessing the old environment and specifically excluding the new one. Your assessor should identify what they did or did not assess, but it’s possible your important commitment to your main client doesn’t rely upon the new environment. The less demanding customers on the new environment may be willing to wait a couple extra months to get service as they are already assessed as PCI DSS compliant.

Have you gone through all the above and still have questions? It’s time to stop googling for the answer and call an experienced QSA for assistance.

Minimizing the risk of failed assessments

I always recommend getting an early start on your annual assessment. Getting an early start and engaging your Qualified Security Assessor (QSA) several months before your last assessment date, as it appears on your AOC (Attestation of Compliance), is ideal. Your QSA should quickly orient themselves in the environment and have obtained a high-level summary of everything that’s changed very early in the engagement. They should also advise you of any new requirements in PCI DSS that could affect you. If this is your first assessment, you may be working to a deadline that was set by your acquirer or potentially a contractual obligation with a customer.

If you are starting your annual assessments early, you will be in good shape with a lot of time to remediate any issues before your deadline.

To learn more about the new PCI DSS 3.2 changes, check out our resource center below.

If you’d like to discuss this topic further, click here to send me a message.

Learn more about Online Business Systems’ Risk, Security and Privacy practice by clicking here.