PCI 2.0 scoring matrix released to the public (now your kids can play “PCI Auditor” at home!)

The PCI Security Standards Council (SSC) has recently released the latest version of the 2.0 Report on Compliance (ROC) Reporting Instructions (formerly called the “scorecard”).  This document had previously been for use by QSA auditors only; it is the secret sauce used to perform a Level 1 PCI audit. For those of you lucky enough to have gone through a L1 audit, the “scorecard” is the super secret document that the QSA kept stored on the triple encrypted drive in the TEMPEST-approved tamperproof tungsten-lined briefcase handcuffed to her wrist.  QSA’s were not allowed to share the criteria on which the company was being audited (scored) on; the reporting instructions require the QSA to perform one or more of the following validation steps for every requirement:

• Observation of system settings, configurations
• Documentation review
• Interview with personnel
• Observation of process, action, state
• Identify sample

Well, good news everyone!  The document is now available to the general public. Hopefully, this will eliminate some of those awkward moments that seem to always come up during an audit: QSA: “You need a documented policy that says you use network address translation. That’s not written down anywhere.” Customer: “Can you show me where it says I need to do that in the DSS?” QSA: “You won’t find it there, but I promise it says it somewhere.  I’m not allowed to show you, just trust me, you need it”. Customer: “Can you just let me peek over your shoulder?” QSA: “If you saw it, I would have to have your memory wiped.  Have you ever seen “Men in Black“”? Customer: “I’m calling Security”. It’s pretty hard to follow the rules when you’re not allowed to know what they are.  With this document’s public release a company can actually evaluate their controls and compliance program against the same standards that a QSA will use; no more guessing how to meet a requirement,  no more conversations where the auditor gives a seemingly arbitrary failing finding, with a “because I said so” for the explanation.  This should also allow for organizations to get a much better picture of the intent and expected implementation of a requirement by understanding how the controls will be assessed.  Well done, SSC.