Compliance Unfiltered is TCT’s tell-it-like-it is podcast, dedicated to making compliance suck less. It’s a fresh, raw, uncut alternative for anyone who needs honest, reliable, compliance expertise with a sprinkling of personality.
Show Notes: Should Your Organization Do a PCI Self-Assessment?
Quick Take
On this episode of Compliance Unfiltered, the CU guys touch on some unknown territory for a lot of folks, and that is the realm of PCI Self-Assessments.
Should your company do one? Well, first Adam will spend time going over what a PCI Self-Assessment actually IS. He’ll go over what the requirements are, whether or not a third party would take your word for it, and how leveraging a compliance management system can help.
All this, and more helpful PCI Self-Assessment tips, on this week’s episode of Compliance Unfiltered!
Remember to follow us on LinkedIn and Twitter!
Read Transcript
So let’s face it, managing compliance sucks. It’s complicated, it’s so hard to keep organized, and it requires a ton of expertise in order to survive the entire process. Welcome to Compliance Unfiltered, a podcast dedicated to making compliance suck less. Now, here’s your host, Todd Coshow, with Adam Goslin.
Well, welcome in to another edition of Compliance Unfiltered. I’m Todd Coshow, alongside the toasted sourdough to your pastrami sandwich in the compliance realm, Mr. Adam Goslin. How the heck are you today? I am doing good, Todd. How about yourself? Plus and minus, sir, I cannot complain. But today, we’re going to have a conversation about kind of that middle ground, right? And specifically, I’m talking about should you do a self-assessment for PCI?
What are some of the companies that should contemplate self-assessments against PCI? Well, you don’t necessarily need to have a third-party assessment to be compliant with PCI DSS. There are a lot of organizations that will choose to self-assess. Not every company can do this, and it isn’t always the best choice. But for some organization, it’s certainly an attractive option. You know, self-assessing may be an attractive option if you’re just starting out with PCI. And especially if you’re in a smaller organization, restricted budget, you know, the simpler the organization, the easier it is to head down that self-assessment route for PCI. So those are some of the main line reasons.
And that tracks. Now, explain, I guess, for the uninitiated, what a self-assessment for PCI actually is. Well, in the PCI world, there’s basically two main paths you can take through, you know, going down the road of PCI. you can go down the road of a third-party assessment that’s done by a qualified security assessor and the final document or the final output of it in terms of the report for the organization is called a report on compliance. Then there’s a second path, which is the self-assessment option, which you’ve got options there. You can go through and conduct it with your own internal team. The final document that’s shared is called a self-assessment questionnaire. You have the capability to sign off on it on your own, but optionally you can also have a QSA or a consultant sign off on it. So there’s kind of the two major paths. The self-assessment questionnaire is available in a series of different questionnaires. So they’ve got everything from various versions of it, but a SAQ-A kind of at the least impactful arena all the way up to a SAQ-D, which basically comprises of all of the requirements of the PCI DSS. And there are others that are in between that are scenario specific to the organization, how they interface, interact with, handle card data. And so there’ll be another series of these in the middle, and you’ll need to figure out which of these scenarios are the appropriate one for your version. Certainly one of the risks is if you go through and you complete the wrong questionnaire, that can have some pretty substantial consequences for the organization. So it is critical that you go through and use the one that fits your use case.
I had an organization that had, they were a vendor in the space and had inappropriately selected the wrong self-assessment questionnaire to leverage. And it was pretty obvious based on what it was that they were providing that they didn’t understand what they should be leveraging in the space. So meanwhile they’re thinking, oh, hey, we’re all set. That SAQ-A was super easy. You know, type of thing. And meanwhile they were supposed to be filling out the monster SAQ-D, type of thing, just because of their role. So you know, really for the uninitiated that tries to go down the path, you know, they can run into some various pitfalls, but, you know, you can easily go out, find the requirements for the self-assessment questionnaires online on the PCI, PCI’s document repository. You know, there’s, for any of the self-assessment questionnaires, there’s basically two pieces to it. So there’s the self-assessment questionnaire itself, that’s really more of an internal document for your organization, you know, basically using that document to, you know, go through, do all of your confirmations, affirmations, you know, effectively the self-assessment questionnaire is detailed information used to sign off on the various controls the organization has in place. And then there’s a secondary document, which is the attestation of compliance, which is effectively, you know, an overview or highlight reel of the content that sits behind it on the self-assessment questionnaire, you can sign that document, provide it out to others, you know, things along those lines. In many cases, organizations will not distribute, their attestation of compliance outside of, you know, being under NDA or MNDA, leave that call up to the individual organization as to how they want to handle it. But generally speaking, the AOC is the document that you would, you know, basically, you know, share with others and the self-assessment questionnaire, you know, is internal. You know, the AOC, the one thing for a lot of folks to kind of be cognizant of, you know, is that the AOC is effectively your sign off to other organizations that you’re, you know, that you’re following PCI, you know, etc. So it’s an important document that other organizations will be able to, you know, be able to go through and leverage.
Cool, well, how do you tell if you’re eligible for a self-assessment? Well, If your organization is processing kind of a certain amount of actual cards, then there are levels that you’ll need to basically exceed. And then you have to go down the route of a report on compliance and leveraging a QSA for that validation. So as long as your organization is processing less than the target amounts for transactions, then you’re able to head down the self-assessment route. Like I said earlier, even if you aren’t obligated to have some assistance from a security compliance consultant or to go down the path of required to have an assessor involved, there may be reasons why the organization will… you know, either opt to do it right out of the gate or to kind of start off with a self-assessment or the self-sign off and escalate to leveraging consultants and then assessors. So, you know, the one thing I’d recommend to organizations is, you know, go have a conversation with the folks for your merchant account, confirm with them, which, you know, what are the requirements that you’re gonna be held to because at the end of the day, you know, they can give you the directional guidance on that one.
Okay, well, why would a third party take your word for it? Well, that’s in, that’s kind of the downside, right? Yeah, but I swear by everything under the sun, you know, we are good, you know. But, you know, and that’s the downside of any time somebody does a self-assessment, you know, is, you know, you’re basically asking, you know, your clients, your partners, your prospects to take your word for it. You know, trust me, you know, type of thing. And, you know, you don’t have a third party that’s, you know, watching over your shoulder and holding your feet to the fire, validating what you’re doing, etc. So, you know, you certainly have an incentive to, you know, to paint yourself positively. So, you know, how do they know that your AOC is trustworthy? Well, if they’ve got any experience with compliance, for sure, they’re going to be wary as they go into it. I know I’ve had to do a lot of reviews of organizations, AOCs, whether that AOC was associated with a SAQ or a ROC. And, you know, certainly if I get a SAQ that doesn’t have a QSA sign off, oh, I’m gonna be asking a lot more questions because generally speaking, you know, those organizations, the quality of what they produce is generally substantively lower. You mean Scouts Honor doesn’t get the job done? Yeah, you know, it may in some circles, but, you know, the reality is, is that, you know, when you’re looking at these documents, you are… truly putting your trust in that other organization to take it seriously, have it done correctly, you know, all that fun stuff. So, you know, to get some additional credibility or instantly recognizable credit credibility, you know, getting yourself, you know, for the smaller organization that’s just been doing the self-assessment, you know, start off with get a consultant into the mix. The consultant is not going to cost as much as a as an assessor, certainly if you don’t have to go down the path. It can be a move which will increase the sense that you are doing it properly, that you’re taking it seriously, etc.
But, you know, there’s going to come a point where, you know, the organizations that you’re working with, and especially as you start to, you know, move up into larger and larger scale organizations that your organization works with, the less they’re just going to want to have even a consultant go sign off on it. They’re going to want an assessor that’s willing to put their name on the line, that’s willing to say that they’ve done the assessment, they’re willing to say that your organization is meeting the mark, you know, etc. You know, whether it’s a good consultant or a good QSA, you know, these are professionals that they live and die by their reputation. So, you know, anybody that’s good isn’t going to put their name on a piece of paper unless they have gone through, done the validation because they know that other organizations are going to be depending on, you know, basically what they signed off on.
Well, interesting. I guess my next question is how does leveraging like a compliance management system help? Well, one of the biggest dangers when you’re talking about a self-assessment is that possibility of kind of freezing through the requirements, right? And we’ve talked about this and done several occasions where somebody hits a section on antivirus and they go, yeah, yeah, yeah, we’ve got antivirus, you know, check, hey, you know, my interface lit up with a pretty green button or whatever, you know, type, type of deal and they keep it, they keep it moving. You know, the good compliance management system, you know, and I’m definitely not referring to the green check boxes is more of the high level, you know, check general boxes, you know, type of thing that you’ll typically on some of these platforms where, yeah, they’re, they’re really targeted at the, you know, entry level merchants, you know, type of thing to help them get the paperwork filled out. You know, that’s definitely, you know, a lot of those tools are, are, you’re just, it’s an exercise and just trying to make the, the screen look pretty with all the green check boxes. You know, a good compliance management system is going to force a structure that makes you go through line item level, you know, so do you have this specific element of antivirus in place, you know, type of thing. So instead of doing the check boxes, you’re now, you know, reviewing those requirements, looking at those requirements, forced to put in an explanation or evidence associated with that requirement, you know, etc. If you take that, I mean, anybody can, you know, breeze their way through or not take seriously something. But if you’re using a compliance management system, you’ve at least got a shot of every single requirement had to be reviewed. Every requirement needed to get some evidence. You have an internal QA process for these items to go through. And now you’re greatly mitigating the possibility that somebody just brushes off the responsibilities that the organization may have. And, you know, not only is it an appropriate practice when you’re going through, you know, an assessment like PCI, but it also assists with protecting the organization by ensuring that you’ve actually done your due diligence for these items. The leveraging of a compliance management system, you know, is also a tool that you can leverage to provide your clients, your partners with a greater level of confidence, you know, in the validity of the AOC. In my experience, you know, the organizations I’ve primarily seen struggle the most with their completion of their paperwork for PCI, you know, are those that are doing self-assessments where they’re not using any type of a rigor or system to do the validation. And that’s where a lot of things just, you know, kind of get missed or get brushed over. It’s an important element as you’re looking at the target organization that you’re potentially going to be sharing data with.
Makes a ton of sense. So what exactly does it mean when you fill out an assessment? well the, the SAQ is, is PCI full stop so you know this is this is one of the it’s one of the misnomers that I’ve seen more times than I can count so we were talking earlier about that the vendor that just decided to you know inappropriately fill out an easier finger quotes less money or not less money finger quotes less requirements listed on a lower level self-assessment questionnaire then they should have filled out and you know the one the one big piece that a lot of these organizations would don’t catch when they’re doing this is signing, signing off on a self-assessment questionnaire is a declaration that you are following all the rules and all the regulations of PCI just because I only had to answer 12 22 50 whatever check boxes. One of the check boxes that you have checked says that the organization is indeed following the PCI DSS and doing everything appropriately. That one little check box is a big deal. You are signing a piece of paper that has potential legal consequences for the organization. With that signature, with that declaration, you are declaring that you are going to continue to maintain your PCI compliance, which means not just because of the way that they’ve written it, you are, yes, of course obligated for however many things you happen to have on the self-assessment questionnaire, but at the end of the day, you’re signing off, you’re following the full breadth of PCI because technically if you pick the right self-assessment questionnaire, you only are viewing those items which are truly applicable to your organization. So when you picked the wrong one and signed off and said, oh, we’re going to follow PCI DSS, well, now you’re only checking the boxes on 12 items where maybe there’s 75 or 150 or whatever that are actually applicable to the organization and yet you don’t have the cross-check double-check. The signing of that piece of paper is also with the ongoing operational compliance that comes into play after you get there initially. The PCI has requirements where organizations have tasks to complete that are daily, weekly, monthly, quarterly, semiannual, and once a year. Whether or not you’re assessed by a third party or whether you’re going through and doing your own self-assessment. So while the SAQ gives the organization the freedom to go in and do your own assessments, You know, it also doesn’t provision a pass on fulfilling your responsibilities under the PCI DSS, you know, PCI compliance is PCI compliance, whether you’re signing off on it yourself, whether you had a consultant in the mix, whether you had an assessor, you know, in play, you know, at the end of the day, you know, you’ve got, you know, you’ve got responsibilities. So, you know, for I know, we’ve kind of covered a lot for some of the listeners, this is going to, you know, that for some of the listeners, however, that neither, you know, aren’t that far into the security and compliance realm or never considered had another row to PCI, you know, the notion of the ongoing maintenance of against a standard like PCI can be overwhelming, you know, but certainly, you know, the TCT portal operational mode makes maintaining that PCI compliance suck a lot less through leveraging automation and making things less stressful for the folks that are having to go through it.
Nice. Parting shots and thoughts for the folks this week, Adam. So, yeah, I mean, you know, we’ve been kind of hammering away at it as we’ve been going through this particular topic, but the notion of self-assessing can definitively be an attractive option for a lot of organizations, but it’s not something that organizations should take lightly or just jump into wantonly, if you will. Make sure that you’re doing your due diligence. Make sure that you have your homework done, that you know what you’re getting into before you get into it. I definitely would not recommend doing what I’ve seen a number of organizations do, which is just pick a self-assessment questionnaire and go for it type of thing. You know, have conversations with people around you. Have conversations with experts in the space, whether they’re consultants or QSAs, you know, before deciding which path to go take. So, you know, the one thing I’d mention to the listeners is this, is that, you know, TCT has been in the space for a long time. We know a lot of folks that do consulting and assessments, and certainly if somebody’s looking for somebody to provide some direction, we’d be happy to go ahead and help folks get headed in the right direction. I mean, our organization was founded off of the premise of helping others and helping people, certainly with making compliance suck less. So, if I can connect, you know, listeners with people that don’t suck to deal with, then we’ll call that a win.
That’s a win indeed. And that right there, that’s the good stuff. Well, that’s all the time we have for this episode of Compliance Unfiltered. I’m Todd Coshow. And I’m Adam Goslin. Hope we helped to get you fired up to make your compliance suck less.
