Maryann Douglass, a Principal Consultant and PCI QA Lead with Online’s Risk, Security and Privacy practice, has over 17 years of PCI experience. She spent the first 13 years maintaining the PCI compliance program for a major US retailer. In 2018, Maryann joined Online as a consultant to help clients achieve their PCI compliance. Now, as a QSA, Maryann leads the PCI assessments. Helping others to achieve their goals is important to Maryann. She joined other female teammates to create and deliver a presentation that encourages other females to make the leap into the cybersecurity world, making it clear that they already have some of the skills and can acquire the skills they don’t. She has developed and presented security topics to a local University. As a board member for the Georgia State University Perimeter College Board of Advisors, Maryann shares her security, privacy, and governance experience to support students attending her alma mater.
In the spirit of Cybersecurity Awareness Month, we are wanting to help showcase the many facets of cybersecurity and how it intertwines with everyday business processes.
This post shares the unique and valuable perspective of a former GRC Director-turned-QSA, on how to make your PCI Assessment easier on all parties.
When I worked as the GRC Director for a major national retailer, I would often ask the QSA working with us on our PCI assessment two of my favorite questions:
“Why do you need that?”
“Why is it taking so long to get me the ROC (Report on Compliance)?”
From my perspective, the process for an assessor to complete the ROC simply included an interview or document, a checked box, and maybe a few comments if something is delivered, and move on, right?
Now the truth is I knew there was more involved in getting the ROC completed than just that. After all, I provided the QSA with copies of all the documentation and supporting evidence they needed to review, I was in all the interviews they conducted and I received the 200+ page report.
But you get my point. It should be a slam-dunk for a QSA to complete.
After 11 years in that role, I decided to take on a new challenge: become a QSA.
Welcome to the dark side, right?
It’s Confession Time
Let me be honest and confess something to you before I go any further. After I completed my first assessment as the lead QSA, I had to reach out and apologize to my previous assessors for all my past remarks from my previous lofty role!
I had NO IDEA what was required to complete a ROC. NO IDEA of the work effort and time it took to review documents or the exercise to pull samples. NO IDEA…
Let’s think about it: there are over 500 blocks of information to fill out in a ROC. And it is NOT just checking a box. In order to respond to any of the requirements, an understanding of the environment is needed, scope of systems must be defined, evidence and business documentation must be linked to requirements. Then the oversight: interviewing responsible personnel for each item, review of systems in production, testing, etc. Whew – the process is extensive! And then of course any new discoveries along the way could increase work on both sides. Now that I’ve walked a few miles in both sets of shoes, I have a new perspective on what it takes to achieve PCI compliance!
The Two Perspectives
No matter how you look at it, there are two perspectives to every PCI Assessment – the organization and the QSA. Both perspectives are important to achieving compliance but the lenses they look through are different, and the impacts are different too. Let me share two quick examples:
Example 1: Discovering Gaps
Maintaining PCI compliance is an ongoing effort for every organization. The requirements are constructed to ensure that the organization’s eye is always on the security ball. But we know that situations happen, best practices are overlooked, and gaps are created. During quarterly reviews, program elements such as missed patches on an in-scope system or undocumented changes to a production application would have unintended consequences to sustaining PCI compliance. I could not keep the assessment on schedule if a QSA came into our organization and found compliance gaps. Once a gap was found, other projects for the impacted team would need to be put on hold until the issue was addressed.
As a QSA, when a gap is discovered, rework of previous reviews is necessary. Additionally, new documentation from the customer on how they will ensure the gap will not occur again is required. Depending on the extent and risk of the gap, a QSA may now need to look at an increased sample size up to all in-scope systems--not just a sample set. The more compliance is part of daily work efforts, the more straightforward the assessment will be for both sides.
Example 2: What is Required
As a GRC lead, when a QSA asked a question that I felt did not align with a requirement, it put me on the defensive and I immediately went back to one of my two favorite questions – “Why do you need that?“ Part of my responsibility was to ensure the QSA stayed on track, looking at the situation within the organization, and determining if a call-out was necessary. This can be challenging.
One year, we were working with a new QSA who insisted that our Information Security Policy use the word “must” versus “should”. The impact of this change had a ripple effect in the organization when it really didn’t need to. “Should” would have still met the spirit of what is intended by the PCI requirement. As a QSA, this lesson resonates with me during all my assessments. When I ask for additional information or call something out, it needs to be significant and important to the customer’s overall business security.
Teamwork makes the dreamwork – and achieving compliance, much easier
Now that I have been on both sides, I wanted to share a few suggestions that I believe can make getting through an annual PCI assessment easier, more efficient, and simply less hard. And guess what? It requires consideration from both sides.
If you are reading this and are on the governance side, here are some things to consider for a smoother assessment:
- Be prepared – Having confidence in your organization’s execution of the PCI requirements shows confidence and strong management while going through the assessment.
- Start preparing long before the assessors are onsite. If there hasn’t been a lot of change from last year’s assessment, use it as a springboard for the current year.
- Have all documentations and procedures pulled together, validated for review and delivered to the assessor ahead of time.
- Ensure teams understand the requirements by performing mock interviews to ensure the team is prepared for the interviews.
- Build remediation time into your schedule. Set the expectation upfront when providing a status update to Senior Management.
- Understand the bottlenecks in your organization. Develop a plan upfront to address the challenges you will face.
- Understand the work effort the QSA must complete in order to meet the PCI DSS requirements to finalize the ROC. Like I point out, there is more to do than just checking the boxes.
- Look for consistency year over year. If you can get the same QSA, that helps significantly as they are knowledgeable about the environment.
- Work with your QSA on timing so you know when to expect the ROC, eliminating the need to ask for it over and over.
If you are reading this and you are a QSA, here are things to consider:
- Put yourself in the shoes of the compliance lead. Most QSA’s are from a technical background. Not all compliance leads are technical, and it is not their only responsibility. Just for me alone in my GRC role, the PCI assessment was only one area of my responsibilities.
- Let the client know how you work. What is your cadence? How do you approach the work effort required to complete the ROC?
- Don’t put your client on the defensive.
- Remember, the assessment is not their primary business purpose; selling a product or service is their business.
- Be proactive in providing a list of items needed for review in the preassessment phase.
- Keep your client informed on your progress to complete the ROC. Your point of contact must keep their management updated.
Today, I find that my past role and my current role really help me empathize with my clients while completing their PCI assessments. I understand the point of contact’s role and what they need from me during the PCI assessment process. I have experienced their challenges within the organization. I really do believe that the PCI assessment process can be a much smoother one when we work together. And,
I don’t get bothered when they ask me – Where is my ROC?