Anyone Got a Flash light?
If you are a large Merchant 2 with a very public brand name, you may want to seriously think about getting a QSA to perform a full onsite assessment and ROC for you, especially if never done so before. You honestly have no idea the number and areas you have control and requirement gaps, trust me they are there. You’re better of doing your due diligence and going through the pain that first time and knowing where your control and security gaps are.
For all you Merchant 2’s looking to self assess but not quite sure if you can and what risks are associated (if any) in submitting a SAQ, this articles for you.
Ever since MasterCard threw a grenade into the room in June 2009 that Merchant Level 2’s would have to have a QSA conduct a full onsite assessment and submit a ROC, there has been some confusion on the details and what it all means. For anyone in the PCI world this is no surprise as the card brands, and PCI board have been pretty bad on defining details and many times kicking the issue to the other group (more on this later).
Then in December 2009 MasterCard partially reversed course and stated that a Merchant 2 could self assess, but would have to attend some type of PCI training, which at the time did not exist. MasterCard also at the time released no other details, thanks MasterCard, anyone got a flashlight?
So finally in May 2010 the PCI board released details on their new “Internal Security Assessor” (ISA) program along with supporting requirements (good for you PCI-SSC) for the company and company staff members that would attend the testing.
So in short yes, level 2 merchants can perform their own assessment. But there are several caveats;
• Per MasterCard – Merchant 2 would have to have a PCI-SSC certified internal assessor.
.......- No other details are given; they are basically passing the buck to the PCI board.
• Per PCI-SSC - Merchant 2 would have to apply as a sponsoring company.
.......- Key Requirement - Must have a dedicated audit department.
• Per PCI-SSC – Merchant 2 staff member would have to apply for the ISA program test.
.......- Key Requirement – Staff member must be a full time dedicated internal auditor.
• Per Banks – Probably, go ask MasterCard and/ or the PCI-SSC.
BUT not so fast, lets clarify and answer some questions here, first question that popped into my mind were, what are their requirements that define what an dedicated audit department and auditor (ISA) is. I mean this sounds obvious but something I learned a long time ago and continues to be my favorite saying "Assumption is the mother of all F*** ups" (Under Siege 2). So I submitted and official request to the PCI-SSC (kudos to them for getting back to me quickly) asking them to define what requirements there are around the 2 following statements;
1. Organization must have a dedicated internal audit department, group or division;
2. The ISA candidate must be a full-time internal security audit professional;
Now I obviously ask these questions because I want to resolve any doubt about the independence of the group and individual that is conducting the assessment. I made several attempts via emails to pin the PCI-SSC down to an answer, but to no avail. No in their defense they were awesome in getting back to me, the person that was working with was very knowledgeable, so they weren’t blowing me off. They just didn’t want to make that judgment and stated that it was the acquiring banks decision to dictate the requirements if any around the department and individual.
Ok off to the bank we go, of course depending on the bank you have, this answer may very, but most will respond with, “You need to ask MasterCard and the PCI-SSC”. Now in the banks defense, I don’t blame them, its MasterCard’s requirement and the PCI-SSC tests, but yet they want the bank to define the requirement. NO first off the banks enforce, they do not interpret the requirements, nor are they supposed to, that’s the PCI boards and QSA’s jobs, not the merchants or banks.
So where does this leave us, well in the case above a gray one! If you’re a Merchant 2, ultimately it’s up to your bank on if they will take a SAQ. If your bank allows you to submit a SAQ, you need to understand what if any additional risks this may pose. Case in point most current merchants conduct self assessments and/ or manage PCI within I.T. as they should since that is ground zero and where the qualified persons to conduct the assessment reside.
However with the lack of requirements to define or enforce the independency of the auditor and assessment anywhere, it opens the SAQ results up to potential suspect. I can say this, if you have 2 large merchant level 2’s that both experience a credit card data breach, Company A has had an onsite assessment conducted by a GOOD QSA, and the other Company B with a internally performed SAQ by I.T. with no QSA assistance, what company would you rather be?
Anybody got a flashlight?