Wednesday, June 10, 2015

Designated Entities Supplemental Validation

Who in security doesn't like the idea of making security (and thereby PCI compliance) business as usual, or BAU? The goal of BAU is to enable an entity "to monitor the effectiveness of their security controls on an ongoing basis, and maintain their PCI DSS compliant environment in between PCI DSS assessments." (PCI DSS v3.1, page 13) It's a terrific concept, but it hasn't really taken root yet.

The PCI Council offered some examples of how to implement PCI DSS into BAU activities but they didn't go much further than that in describing what BAU means for an entity subject to PCI DSS compliance. The example suggestions include but are not limited to:
  1. Monitor security controls for effectiveness.
  2. Detect and respond to security failures promptly.
  3. Review proposed CDE changes and follow complete change management practices.
  4. Review compliance impact and PCI scope after organizational changes.
  5. Communicate with personnel and review processes to confirm security controls remain in place.
  6. Review technology at least annually for vendor support and security effectiveness.
They also make a suggestion I think is very important: "Consider implementing separation of duties for security functions so that security and/or audit functions are separated from operational functions."

On June 5, 2015 the PCI Security Standards Council (PCI SSC) took the idea of treating PCI compliance as BAU a step forward. And it's a huge step. They created a new compliance validation program and published the PCI DSS Designated Entities Supplemental Validation For use with PCI DSS v3.1. This document takes a deep dive into the BAU idea and provides a lot more guidance on how to comply in a BAU manner. It digs into the organizational environment and operational processes of the assessed entity.

This new set of validation steps came about because investigations of data breaches revealed an important fact. That is, that too many entities are not maintaining PCI compliance between their annual assessments. If you read the 2015 Verizon PCI Compliance Report you learn that only 28.6% of assessed entities were still compliant less than a year after their assessment. While that's an improvement from a few years ago it's still disappointingly low. But now, if acquirers or card brands want to focus in on mid-year compliance problems with certain designated entities they have a new tool in their belt to help keep these entities in line.

My first reaction on reading this was Yikes! But there are some important things to stop and understand before succumbing to fear. First and foremost, Designated Entities Supplemental Validation (DESV) applies only to designated entities. That designation can only be assigned by an acquirer or card brand. A QSA can't require it during an assessment, and there is no set of self-assessment qualifications that would require you to follow it. It is an additional validation step required for particular entities. The Council provides some examples of which entities it may apply to, which could include:
  • Those storing, processing, and/or transmitting large volumes of cardholder data,
  • Those providing aggregation points for cardholder data, or
  • Those that have suffered significant or repeated breaches of cardholder data.
My take on it is that this would apply mainly to Level 1 merchants and service providers. I can't recall if I have met someone from a university that is a Level 1 merchant. Even with aggregation my school is a Level 2. If an acquirer or a card brand gets suspicious that an entity is not trying to make PCI compliance BAU, the entity may receive the DESV designation.
Secondly, the DESV does not create any new PCI requirements. Instead it tells an entity how they can meet the requirements already included in PCI DSS. It provides a path to demonstrate to their acquirer or card brand that they are maintaining compliance and it is not just an annual checkbox exercise. Each of the DESV requirements refers to the section(s) of the PCI DSS that it comes from.
Here is an example:

DE.1.1 Executive management shall establish responsibility for the protection of cardholder data and a PCI DSS compliance program to include:
  • Overall accountability for maintaining PCI DSS compliance
  • Defining a charter for a PCI DSS compliance program
  • Providing updates to executive management and board of directors on PCI DSS compliance initiatives and issues, including remediation activities, at least annually
PCI DSS Reference: Requirement 12
Each of these requirements also has a detailed testing procedure (often referencing specific documents) and a guidance column, just like you see in the standard itself. You will see things that you don't see in the standard, but those are often considered implicit in the PCI DSS. For example, in DE 1.1 above it references "a charter for a PCI DSS compliance program." This takes requirement 12 up a notch in terms of having tangible evidence that it is being followed.
The additional validation steps are grouped into five main areas to control. Those are:
  • DE.1 Implement a PCI DSS compliance program.
  • DE.2 Document and validate PCI DSS scope.
  • DE.3 Validate PCI DSS is incorporated into business-as-usual (BAU) activities.
  • DE.4 Control and manage logical access to the cardholder data environment.
  • DE.5 Identify and respond to suspicious events.

There are no surprises here. But I am particularly impressed with Area 2, scoping. It has concrete steps to assess and validate the scope of compliance. We all know how slippery scope can be sometimes. Area 2 sheds a lot of light on scoping here. It covers data discovery tools in some detail and also addresses data exfiltration. I particularly like the requirement to not only document the PCI scope, but also to document what is not in scope. That's thorough.

Some of these new DESV requirements are different from the PCI DSS simply because they go above and beyond in terms of frequency or reporting. For example, penetration testing is required at least annually in the PCI DSS. But in DE 2.4 it becomes a semi-annual process for organizations that use segmentation to limit scope.

I think the DESV program should not be a big concern for colleges and universities at this time. But things do change, and it's a rare day when PCI DSS requirements get looser instead of tighter. Take this example from the FAQ:
  • Q5: Can I use the DESV even if I’m not a Designated Entity?
  • A: Yes. The DESV can be used to complement any entity’s PCI DSS compliance efforts, and all entities are encouraged to follow the DESV as a best practice, even if not required to validate.

I would agree with that. If I had the security resources available to implement DESV now I would do it! However, not many of us in this sector have those kinds of resources. But do take note of the encouragement "to follow the DESV as a best practice." We know that sometimes best practices become requirements later on. Take heed, my friends.

The Designated Entities Supplemental Validation program was released with a good set of supporting documents, including a FAQ sheet, a reporting template, and its own specific Attestation of Compliance. You can read the press release on the PCI Security Standards Council's web site ( and you will find the related documents in the Council's documents library.

Payment Card Industry (PCI) Data Security Standard
PCI DSS Designated Entities Supplemental Validation
For use with PCI DSS v3.1

Monday, April 27, 2015

New PCI DSS SAQs for version 3.1

As Emma Sutcliffe mentioned to us at the PCI Workshop last week, the PCI Security Standards Council has today released version 3.1 of the Self-Assessment Questionnaires. At this time they are only available in Microsoft Word format. I expect the PDFs will come later.

In addition, there are two new updates to previous documents. First, there is new version of Understanding SAQs for PCI DSS v3. I wish they had called it v3.1 to distinguish it from that confusing InfoSupp released last May. I have not read it in detail yet, but I did take a look at the comparison tables. Hallelujah! They removed that horrible, undefined term “acceptance” from the document. That added so much confusion. They also removed the entire “Control of Cardholder Data” comparison completely.

The other updated document is SAQ Instructions and Guidelines v3.1, finally updated from PCI DSS v2. I haven’t had a chance to dig deeply into this either, but I’m sure it will yield some gems I can use in tomorrow’s PowerPoint!

You can find the new documents on the PCI SSC web site in the document library under the SAQs tab. There is also a SAQs v3.1 link on the home page:

Monday, April 13, 2015

Sunday Evening Reception

Hello all,

There are MANY attendees checking in on Sunday this year, so you may have noticed that the Treasury Institute has added a Welcome Reception on Sunday evening. This informal event will be a great opportunity to meet and greet old friends and new. The reception will be in the Opium Terrace (by the pool) from 6:00 to 7:30 PM, with beer, wine, and cheese served. (Please note, the time was incorrectly listed as 5:00-6:30 in an earlier post.)

Please make sure you hit the Workshop registration table, open from 4:00PM-6:00PM Sunday, so that you can pick up your badge for entry to the reception. As usual, many of us will join up into informal groups for dinner afterwards. Don't be shy.

I’m looking forward to seeing many of you next week in Las Vegas!


Friday, April 3, 2015

2015 PCI Workshop Sponsors

I'm really looking forward to the Treasury Institute's 2015 PCI Workshop in Las Vegas Henderson, NV, coming up in about two weeks. The frigid Michigan winter made a PCI popsicle out of me, and I am ready to thaw out!

But before I head out I want to make a mention of our workshop's Partners and Supporters. Without their generous support we would not be able to have this terrific workshop, especially at the low price for registration. Most of these supporters will be there with informational tables, and it would be great if you could stop by their display and say hello during the workshop this year. They offer solutions to help us get our jobs done, and they are generally very familiar with our sector.

Here is the group we will have with us later this month:

Founding Partner

Alliance Partners
Association for Financial Professionals

Bluefin Payment Systems

See you in Vegas, Baby!

Monday, March 30, 2015

2015 PCI Workshop Program Set

Update, 3/30/2015: I heard from one presenter that his description of his presentation did not match up with what appears on the Treasury Institute web site. If any other have seen this, please let me know and we'll get it worked out. Also, our Sponsors and Supporters page may not be complete yet, I think some paperwork still needs to be processed before all the supporters are listed. --gaw

FRIDAY, MARCH 30, 2015

It's here at last. The program committee for the workshop has wrapped up the schedule for the 2015 Treasury Institute PCI Workshop. You can see the summary on the Treasury Institute's Workshop information page at I will add more details in the days to come.

Something new this year - we will have a (semi-official) pre-workshop reception at the resort late on Sunday afternoon. Many attendees will be checking in on Sunday April 19, so we will have an informal Welcome Reception from 5:00 until 6:30 PM 6:00 until 7:30 PM. Talk about the week ahead or just relax after a day of travel with old friends and new. In years past groups have formed up on Sunday to sample the local restaurants and we will do the same. Dine at one of the Green Valley Ranch Resort, Spa, and Casino's 10 restaurants or head for the Strip! Or you can have a more laid-back night and take in the latest flick at the Regal Cinema, with 10 screens right on the resort property.

Whatever your arrival day plans may be, get ready for a fun and informative week at the 2015 Treasury Institute PCI Workshop.

Note: We may break attendance records for the second year in a row. If you have any problem booking your room (we're nearly sold out), our Meeting Planner Megan at the Professional Development Group will help you out. Information on Workshop rooms and Megan's contact info may be found here:

Wednesday, March 18, 2015

OpenSSL to be patched Thursday 2015-03-19

If you haven't heard the recent security news yet, be forewarned that newly-discovered flaws in the OpenSSL encryption library are due to be patched tomorrow, March 19. Some of the weaknesses have been classified with a "high" severity.

The OpenSSL libraries provide encryption services to protect online communications such as e-mail, file transfers, and most importantly, secure web sites. The libraries implement the (outdated) Secure Sockets Layer (SSL) and its replacement the Transport Layer Security (TLS) protocols. If you see a padlock and "https://..." in your web browser's address bar then SSL/TLS is at work. A major segment of the global internet depends on OpenSSL to maintain data privacy and secure confidential information such as banking and credit card data, transactions related to healthcare and government services, and other personally identifiable information that can be used to commit identity theft and other fraud.

Recently, the PCI Security Standards Council announced the upcoming release of the Payment Card Industry Data Security Standard (PCI DSS) version 3.1. The main reason for this update to the standards is to remove the older SSL protocol from lists that provide examples of strong cryptography. SSL no longer meets that definition based on recommendations by the U.S. National Institute for Standards and Technology, known as NIST.

For a good discussion of this news, please see Brian Krebs's blog, Krebs on Security. His post today, OpenSSL Patch to Plug Severe Security Holes, provides more background and explains the importance of putting these patches into place as soon as possible.

2015 PCI Workshop Tentative Schedule

2015 Treasury Institute PCI DSS Workshop
Green Valley Ranch Resort (Greater Las Vegas)
2300 Paseo Verde Pkwy
Henderson, NV 89052
April 20-22, 2015

Tentative Workshop Agenda*

Sunday April 19th
4:00 pm-6:00 pm Early Registration
Monday April 20th    
8:00 am -1:00 pm Conference Registration
10:00 am-noon Optional Session: Introduction to PCI
Noon-1:00 pm Lunch on your own
1:00 pm-5:00 pm Workshop Begins: General and Concurrent Sessions 
5:00 pm-6:30 pm The 90 Minute Networking Hour
Tuesday April 21st      
8:00 am-9:00 am Buffet Breakfast
9:00 am-Noon General Sessions
Noon-1:30 pm Lunch
1:30 pm-5:00 pm General and Concurrent Sessions
5:00 pm-6:30 pm The 90 Minute Networking Hour
Wed. April 22nd           
8:00 am- 9:00 am Buffet Breakfast
9:00 am-noon General Sessions
Noon-1:00 pm Lunch
1:00 pm-3:30 pm General Sessions

*Agenda subject to change at any time

Information about sessions and speakers is coming soon!