Compliance Unfiltered is TCT’s tell-it-like-it is podcast, dedicated to making compliance suck less. It’s a fresh, raw, uncut alternative for anyone who needs honest, reliable, compliance expertise with a sprinkling of personality.
Show Notes: The Importance of Resources for Your PCI Compliance
Quick Take
On this episode of Compliance Unfiltered, With PCI-DSS 4.0.1 just being released, the CU Guys thought it fitting to share insights on some of the critical resources available to those undertaking PCI Compliance.
Curious about how to ensure your compliance program is airtight? Wondering who can help if you have questions? Struggling with what tools are the right tools for you?
Well, the CU guys have covered on all these topics and more, on this week’s episode of Compliance Unfiltered!
Read Transcript
So let’s face it, managing compliance sucks. It’s complicated, it’s so hard to keep organized, and it requires a ton of expertise in order to survive the entire process. Welcome to Compliance Unfiltered, a podcast dedicated to making compliance suck less.
Now, here’s your host, Todd C, with Adam Goslin. Well, welcome in to another edition of Compliance Unfiltered.
I’m Todd Coshow alongside the Lionel Messi to your compliance midfield, Mr. Adam Goslin. How the heck are you, sir?
I am doing great today, Todd. How about you? Man, I cannot complain, sir. I cannot complain. And today, we’re all about making things easier. That’s right. We’re talking about the must have resources to make your PCI compliance easier.
Now, whether you’re a seasoned professional or green as their fresh turf in the Tottenham Hotspur Stadium, everybody needs a little help, right, Adam? You got it. That is faux show. So, at the end of the day, there’s a lot that goes into the PCI world, even for folks that have kind of been out there doing their own thing for a while. Whether they’re brand new, there’s hundreds of requirements people need to meet. Many of them are hard to understand. Sometimes you need to take into account things within your environment as you’re kind of going through the process.
So, whether it’s the first rodeo or you’ve been at it a while, any resource that makes your PCI compliance easier is something valuable. So, for an organization that’s facing PCI, for the uninitiated, you know, getting compliant is, you know, really up and challenging.
You know, so, you know, the bottom line is, is that, you know, we started TCT with the mission of, you know, helping to make compliance management suck less and, you know, we dedicate ourselves to, you know, to putting together helpful tools, putting those into the hands of clients. So we wanted to, we wanted to take a crack at, you know, nine different resources that will help people that are, that are either, either struggling or just looking for some additional insight in the, in the PCI world.
Well, first, let’s start with the document library. Yeah. So the, the, the PCI SSC has a document library. It’s a necessity for anybody that’s going through compliance. There’s, it’s the official kind of page that goes over all the details of the current standard, you know, the library. itself. It’s got sections for standards, supporting documents, supporting templates, forms, and you know you’ve got the ability to use some kind of helpful filters to drill down into the from the high -level documentation all the way down to specific needs for your organization. You know the, the default filter lets you view kind of generic PCI information, summary of major changes, and you know from the prior version to the present one. But the PCI section you know primarily is speaking to organizations that have a need to submit a report on compliance, otherwise known as a ROC, you know that have an assessor led engagement. You know for smaller organizations or you know companies that are filling out self -assessment questionnaires you can set that filter to the self -assessment questionnaires and that way you know the folks can go through and review all the information that’s kind of pertinent to you know the self -assessment questionnaire section.
Well what about the standards website? Well the PCI security standards website it has everything to do with PCI. It’s not just you know it’s, it’s you know not only is the document library you know part of it but you know there’s thorough FAQs, there’s you know tons of content related to PCI, additional information from that’s you know being released that provides clarity you know on various compliance related you know subjects you know in addition to the latest and greatest standard. So you know it’s really you know for those that that haven’t taken the opportunity to kind of reacquaint themselves with all of the various functions and you know and assets that are over there. I would strongly recommend go over and take a peek at it. I actually you know every now and then you know I’ll go back over there and I’ll be like, oh, they put out something on fill in the blank, you know, type of thing. They’re constantly adding different pieces and elements of information. So it’s a good resource to go back and kind of poke your head in on. They’re not changing this thing every day, right? But if you, I don’t know, if you get into practice, go ahead over there a couple of times a year just to go check it out. I found that to be pretty helpful.
Absolutely, now one of the most critical pieces for anybody that’s going through this process is finding the right assessor. How can folks find a QSA and how can they find a good one, Adam?
Well, the two are different, right? You know, you ask anybody that’s had a, I’m just picking a profession, people, so don’t anybody like flame me over it. But it’s kind of like, you can go into the yellow pages or whatever, I’m dating myself here, right? The yellow pages, people are chuckling now. But you can go Google a plumber, right? And you’re gonna get somebody that, you know, can probably spell the word plumber. No clue if they’re actually gonna be any good or if they’re gonna suck, you know, whatever. But there is a marked difference between identifying someone that identifies as a plumber and finding someone that can actually do plumbing well. So we’ll kind of go through both of those. When you’re going through that full -scale assessment, whether it’s a self -assessment questionnaire or a report on compliance, you may be required to or may opt to have a qualified security assessor validate your stance against the PCI DSS.
You know, there’s an online listing of the qualified security assessor. So, you know, you can go out there and find the, you know, kind of list of them. It’s actually a part of the standards website. And the page will let you go through, search on a particular assessor, assessment firm. It’ll give you helpful information about the firm, where they work, geographical areas, markets they serve, what languages they speak, you know, things along those lines. And it’ll give you the ability to go click through and get to their website. You know, the reality is that, that’s kind of like Googling the plumber, but if you want to know, if you want to know an assessor that, that, you know, you know, is gonna be a good fit. I would strongly encourage folks, give us a shout. You know, we here at TCT love helping people to find firm, USA firms that don’t suck to deal with. And we would very gladly go ahead and get people connected. Usually when I have those conversations, I like to understand, you know, who’s the company? What is it that they do? What’s their kind of approach to life, etc.. And, you know, and then finding, you know, a QSA firm that I know is gonna do a great job, but, you know, kind of meet their approach to life, if you will, that’s to make for a more harmonious relationship. But, you know, TCT has worked directly and indirectly with, you know, dozens and dozens of different assessment firms. So we’re usually a pretty good resource for, you know, for folks to come hit us up and we can give them a hit.
Now, everybody involved. It needs an approved scan vendor. Tell us more. Again, that can be another tricky obstacle you have to clear. One of the requirements that, for sure, is gonna be external scanning, and it has to go through kind of an approved scan vendor. The short form for that in the PCI space is ASV. For a lot of the smaller merchants, that’s typically is coordinated for them through their merchant bank. They’ll probably have an online system with a, hey, go sign up here, use our handy dandy whiz bang PCI tool, answer these 52 questions, and you can run automated scans and the like. For larger entities, though, they need to get and acquire their own ASV scans. The PCI website has a list of the kind of approved scan and vendors that would fulfill the need under the PCI standard. The one good news part of it is everybody has to go through and validate their scans against the baseline type of a thing. So any of the ones that are on the list will be able to check the box. The ASV scanning is required for the external vulnerability scanning. And so, as organizations need that, if you’re just looking, I just need somebody to go into the scanning, the vast majority of the solutions up there are going to be similar in nature. Each of them has their own kind of quirks and advantages and whatnot. Again, if anybody needs to get some, any particular insight etc. you’re welcome to go hit up TCT. We can kind of give you a hand with pointing you in the right direction, which ones seem to be the leading front runners, etc. It’s funny, the list of, who’s the more popular ASVs on the list, it actually changes more often than people think. So yeah, you’re welcome, go give us a shout.
Fair enough. Now, how can the Global Registry of Service Providers help? Well, part of getting through PCI compliance is making sure that your service providers are also PCI compliant. Sometimes it’s a real pain to be able to find good vendors that aren’t just giving lip service to PCI. So Visa maintains a list of hosting companies and other service providers that are certified as PCI compliant. Companies that undergo level one ROC have the option to get their name added to said list. But as you go to the global registry of service providers, you can search through by company name for specific vendors, browse the entire master list. You can take a look at their certifications, the date that their validation expires, what types of services they’re providing, where they operate, and more.
So the registry can be a great place to check the vendors that you’re currently using. A lot of the QSA firms, as they’re going through and doing your annual validation, they will take the screenshots of that global registry of service providers. They’ll take screenshots right off of there because they know in order to hit the list, then they have to have a valid reviewed AOC in order to even make the list. So it kind of takes the place of the gathering process that a lot of organizations will do of gathering up those AOCs. They can use that as a streamlined element of evidence so they don’t have to pull all that information together. They still have to go through and collect up the AOCs, review them, make sure they’re valid on their end, etc. But it’s a handy -dandy tool to be able to go through. If a particular company isn’t on the list, though, it doesn’t mean that they’re not PCI compliant. It just means they didn’t opt to participate in the list.
The list is, you know, is definitively a pay to play. So you have to pay a fee to be able to get your, your organization listed on that particular list. Copy. Okay. Now certainly it can be said, everybody, everybody, easy for me to say, needs a guru.
Tell us about the PCI guru. Oh my god. You just made me start singing a song in my head. Everybody, everybody, everybody. Yeah, sorry. I’m back now. So, yes, everyone needs a guru. So, in fact, we had the PCI guru on compliance unfiltered. So the, you know, the team that runs the blog for the PCI guru has been writing about PCI since 2009. As their tagline says, they take a common sense approach to achieving PCI compliance and TCT definitely can appreciate that type of an approach to things. There are posts up there on a bunch of different interesting helpful topics around PCI, how things work, but everything specific to PCI DSS. They’ve been in a space a really long time. They know what they’re talking about, so that often is a good source for folks to go to for miscellaneous questions and things along those lines around the PCI DSS.
Shout out to our guy, the PCI guru. We’re thankful that he is a member of the PCI community and as helpful as he is. Speaking of helpful, what about helpful tools for troubleshooting technical website configurations? Well, there’s a tool that’s been out there for a while and it’s an SSL server test capability. Basically, it’s a free online service. It gives you kind of a deep analysis of the configuration of any SSL web server on the public internet. It’s testing the website security and provides just a whole slew of good information that’s really helpful, especially as you’re going through and trying to pin down, work through any particular issue. We often use the resource to just get an objective test result of a particular organization site. It lets you be able to identify security issues in a couple of minutes and you can then target corrective actions and things along those lines. You know, the results, and this is a tool by the way that’s put out there by Qualys, you know, but when you go through and you run your site, it’ll end up giving the site an A plus through F rating. You know, you’ll see the results kind of listed line item by line item, so you can go down, see what’s in good shape, what needs your attention, you know, things along those lines. And one helpful tidbit is that on that particular website, I’d strongly recommend, there’s a little check box below the host name that says, do not show the results on the boards. In other words, you can go in and you can run it, but if you check that box, it won’t show up on the, you know, worst and best listed, you know, sites, if you will, that are a publicly available listing for those that chose not to check the box. So it is, You know, it is good to maintain your anonymity, if you will. But no, that tool in particular is super freaking helpful.
Nice. Now, a lot of people struggle with the system benchmarks. What do you have there? Well, the CIS, they’ve actually been building toward this for quite a long period of time. CIS put out a series of benchmarks for, you know, for systems. It started with a handful of systems, and then it graduated to more systems. And then they included even more, and then they included additional features, additional functions, you know, different types of infrastructure, etc. So, you know, at this point in the game, they’ve got a pretty hefty library of various hardening standards for various of your devices. So, you know, I’ve seen a lot of different hardening standards out there over the years, generally speaking. The clients that are implementing standards across their systems have generally remarked that the CIS standards appear to be the ones that they’ll gravitate toward. You know, you can get default settings to get you up and running quickly, you know, out of the gate. But those aren’t optimized for, you know, for security. The hardening standards can make sure that you go through your devices and that they’re appropriately configured.
So, the CIS benchmarks, they’ve actually deployed some additional, additional tooling in the last several years that allows organizations that want to kind of sign up for the service to, number one, be able to compare their system to benchmarks and see where they’ve got issues. They’ve also got some functionality that will help you apply those benchmarks against your targeted system. So, that’s pretty cool functionality for… you know, for those where their existing technology works with that toolset, you know, it can be very, very helpful with getting those benchmarks appropriately deployed.
Yeah, that sounds really cool. Really does. Now finally, I think we’ve been a little helpful to the folks out there too, right? A little bit. I mean, you know, nobody wants to break their arm patting themselves on the back or anything, but, you know, we do have some, we do have some pretty cool stuff. Certainly, one of the resources is definitively TCT. You know, we’re here to, we got into this space to help people make compliance management suck less. So we’re here to help you. We’ve got this awesome podcast that’s here to help you. You know, we were, we were counting up the episodes the other day. I think we’re closing in on like 140 episodes. So we’ve covered a lot of various different topics. And certainly it’s a helpful resource that you can go into the website, our website, and then you can search under the resources podcast and you can search for topics. So you wanna find something on wireless, you wanna find something on firewalls, you wanna find something on benchmarks, whatever. You can just go in and do searches, etc. You don’t have to sit around reading it or whatnot.
Maybe you listen to it on the car or whatnot, whatever strikes your fancy, if you will. But the reality is, is we tried to, the reason why we put so much time into doing this is because we wanna be able to help people. We wanna talk about things like real people, no pretense, no big words to try to impress anybody I would very much rather the material be, certainly relatable to the listener and something that they don’t cringe at if they have to go through and listen to it.
So that’s helpful as well. Of course, we’ve got the TCT portal, we’ve helped organizations with their compliance for well north of a decade, just a lot of resources that we can bring to bear on behalf of those that are kinda needing a little bit of assistance.
Most assuredly. Parting shots and thoughts for the folks this week, Adam?
Well, everybody needs help, everybody needs a friend, all that fun stuff. So, bottom line is, is that feel free to reach out to us.
The offers are sincere. I’d like to refer to folks, especially. when I when I get the, the joy of referring to you Todd. You know I didn’t have to say hey Todd is my non -PETA head of sales you know meaning that you know we’re not going to hound you mercilessly. We’re not going to you know try to be intrusive you know things along those lines. At the end of the day we’re a collaborative organization you know we got into the space for the right reasons. We just like helping people you know get you know navigate the waters and get through it.
You know that type of thing so I meant it when I said it earlier you know if you’re looking for guidance need some advice just want somebody to sit and talk about a particular you know particular problem issue whatever you know again reach out to us give us a shout we’ll be happy to happy to give you a hand it’s there, there in my opinion there aren’t enough people you know out there that are just genuinely interested in helping others and I love to see more of it but I’m not going to hold my breath either.
And that right there, that’s the good stuff.
Well that’s all the time we have for this episode of Compliance Unfiltered, I’m Todd Coshow, and I’m Adam Goslin. Hope we helped to get you fired up to make your compliance suck less.
