PCI 2.0 scoring matrix released to the public (now your kids can play “PCI Auditor” at home!)
The PCI Security Standards Council (SSC) has recently released the latest version of the 2.0 Report on Compliance (ROC) Reporting Instructions (formerly called the “scorecard”). This document had previously been for use by QSA auditors only; it is the secret sauce used to perform a Level 1 PCI audit. For those of you lucky enough to have gone through a L1 audit, the “scorecard” is the super secret document that the QSA kept stored on the triple encrypted drive in the TEMPEST-approved tamperproof tungsten-lined briefcase handcuffed to her wrist. QSA’s were not allowed to share the criteria on which the company was being audited (scored) on; the reporting instructions require the QSA to perform one or more of the following validation steps for every requirement:
- Observation of system settings, configurations
- Documentation review
- Interview with personnel
- Observation of process, action, state
- Identify sample
Well, good news everyone! The document is now available to the general public. Hopefully, this will eliminate some of those awkward moments that seem to always come up during an audit: QSA: “You need a documented policy that says you use network address translation. That’s not written down anywhere.” Customer: “Can you show me where it says I need to do that in the DSS?” QSA: “You won’t find it there, but I promise it says it somewhere. I’m not allowed to show you, just trust me, you need it”. Customer: “Can you just let me peek over your shoulder?” QSA: “If you saw it, I would have to have your memory wiped. Have you ever seen “Men in Black“”? Customer: “I’m calling Security”. It’s pretty hard to follow the rules when you’re not allowed to know what they are. With this document’s public release a company can actually evaluate their controls and compliance program against the same standards that a QSA will use; no more guessing how to meet a requirement, no more conversations where the auditor gives a seemingly arbitrary failing finding, with a “because I said so” for the explanation. This should also allow for organizations to get a much better picture of the intent and expected implementation of a requirement by understanding how the controls will be assessed. Well done, SSC.
Explore More Blog Posts
Extracting Sensitive Information from Azure Load Testing
Learn how Azure Load Testing's JMeter JMX and Locust support enables code execution, metadata queries, reverse shells, and Key Vault secret extraction vulnerabilities.
3 Key Takeaways from Continuous Threat Exposure Management (CTEM) For Dummies, NetSPI Special Edition
Discover continuous threat exposure management (CTEM) to learn how to bring a proactive approach to cybersecurity and prioritize the most important risks to your business.
How Often Should Organizations Conduct Penetration Tests?
Learn how often organizations should conduct penetration tests. Discover industry best practices, key factors influencing testing frequency, and why regular pentesting is essential for business security.