Ask security professionals what the most painful part of PCI security compliance is and most will start grousing about the auditors.
Some will describe the auditor who came in and started faulting their controls without first taking time to understand the specific business dynamics the controls were designed to address. Others will lament that their auditor required them to buy an expensive new appliance from a specific vendor to attain a passing compliance grade.
More on PCI
Robert Duran and Allan Kintigh have endured the auditing process, but one man's experience was more unpleasant than the other's. Nevertheless, each has come away from it with a solid security programme.
Duran is information security and privacy officer at Time Inc., the New York-based media giant of 10,000-plus employees. Under PCI DSS, Time is a level 1 company, which means it processes more than six million credit card transactions a year and is subject to an annual on-site audit and quarterly network scans performed by an approved vendor. [Level 2 and 3 companies process 20,000 to 6 million credit card transactions a year and must fill out an annual self-assessment questionnaire and have an approved vendor do quarterly network scans.]
His experience is that the auditors often don't know what they're talking about.
Kintigh is a software engineer with Minnesota-based National Bankcard Services, a payment card transaction processor with fewer than 20 employees. Though tiny compared to Time Inc., the company is still level one because it too processes more than six million credit card transactions a year.
His experience is that the auditors are fair and genuinely helpful.
Don't believe what they say
During a panel discussion on PCI security CSOonline held in New York last month, Duran suggested merchants learn as much as they can about the standard so they'll know when an auditor is sending them in the wrong direction.
"You need to understand PCI yourselves, because the auditors will tell you things that you may not like and probably shouldn't believe," he said. "The more you understand, the more you can challenge them."
Duran's department has to deal with two auditors - one in the U.S. and one in Europe. They often give different answers to the same questions because they are looking at it from different perspectives. He has also come across people who lack the proper understanding of such technical matters as firewall and VLAN configuration.
"Not all [auditors] are the same and not all of their responses will fit your situations," he said. "And so we have to manage them against each other and get what we need from them. They don't always understand the specific security needs of the business."
For example, he said, a department can get into trouble for not having a firewall installed on certain systems, even though the more appropriate course for the business unit may be to segment parts of the network from other areas.
Merchants who take the time to truly understand the mechanics of PCI are therefore in a position to debate the auditor's findings and avoid wasteful technological investments that are sometimes made for the sake of a passing grade.
Communication = a better experience
Kintigh has had more positive dealings with the auditors. One thing in his favour is that his company's footprint is tiny compared to Time Inc. Overhead is low and the company has no more than 20 employees. The systems an auditor must examine are a lot simpler.
"We've had fairly decent interactions with our auditors," Kintigh said. "They've been willing to talk over issues with us before giving us the big red X. We are a small company and their processes are built for rather large companies."
Since there are only a small number of people signing off on different software changes and the like, auditors seem to have an easier time pinpointing strengths and weaknesses in the companies PCI security programme. In this case, they recommended a more formalised software update process.
"They wanted to see tighter control over our procedures for software tracking, patch management and change management," he said. "We had a system in place but not under a formalised process. They wanted more documented, formal procedures and they wanted us to be more consistent about it."
At the beginning of the auditing process, they also examined the company's firewall rules and suggested changes. "We had various firewalls on different machines and the auditors suggested they wanted to see more of a commercial box for that," he said.
Each year, he said, the auditing process gets easier because the company gains a better understanding of what auditors tend to look at.
One auditor's advice
During the CSOonline PCI security event, Atlanta-based auditor James DeLuccia sat on the panel alongside Duran. He acknowledged that a lot of companies run into the difficulties Duran described. Among other things, he agreed there are probably auditors out there who go too far in pushing certain vendors on merchants as a condition for a passing grade.
However, he said, merchants have a better chance of getting a fair shake these days because there's a larger pool of auditors to choose from.
"At the beginning there were far fewer companies capable of performing a PCI security audit, but in the last couple years Visa and MasterCard have authorised a lot more," he said. "The bigger the pool of auditors, the more likely you will see transparency."
His parting advice to merchants facing an audit: Don't stick with the same auditors for too long.
"I always tell clients they shouldn't rely too much on the same auditor," he said.. "I suggest rotating the auditors so you'll always have fresh perspectives and second opinions."