Tuesday, December 9, 2008

Editing the PCI DSS, how and why.

Anyone that has dealt with PCI knows that it isn't as straightforward as it might appear at first glance. Many of us find ourselves turning into junior paralegals as we wrangle with definitions and try to figure out if what we're doing meets the requirements or not.

For example, what is the boundary of the cardholder environment? Obviously if something is process credit cards or is being used to accept credit card payment then it is part of the cardholder environment. But what if your Point of Sale (POS) uses your phone system to contact the credit card provider? Does that mean that your whole phone system is now in scope?

The latest version of the DSS (Data Security Standard) is a big improvement over the previous versions. It is much longer, but that extra length provides quite a bit of clarity. However, that doesn't mean that all doubt will be erased from your mind. Take this bit of text for example:
At a high level, adequate network segmentation isolates systems that store, process, or transmit cardholder data from those that do not. However, the adequacy of a specific implementation of network segmentation is highly variable and dependent upon such things as a given network's configuration, the technologies deployed, and other controls that may be implemented.
We might spend a lot of time arguing and looking up references and talking to people to decide if our compensating controls are strong enough. Maybe we talk to a QSA who tells us what we need to do if we want to pass his audit. Another thing we might do is search around the Internet and find some answers. Then if we want to preserve this knowledge we have to put it into some document and save it. From now on we are cursed to maintain two documents, the answers that we type into the DSS, and our crib notes. Hell, maybe the tiny comment space in the DSS isn't big enough and we want to be more verbose. What are we to do.

Well I've decided that I'm going to keep my edits in the DSS. I downloaded the .doc version of the DSS and found that I couldn't edit any of the text because the document is protected. I am also unlikely to guess the protection password. I tried saving the .doc to a .html to see if I could find the hashed password value but was not successful. So then I tried opening it up in Pages and voila, I was able to edit the document. Now I can edit the DSS, add my notes and references, and keep track of my organizations efforts to be compliant. So if you want to be able to edit your copy of the DSS, just buy a Mac, buy iWork and open it up in Pages. I can see this technique being particularly useful for QSAs that want to keep some of their auditing practices or notes in the DSS.

I'm pretty sure that what I did is frowned upon by the Payment Card Industry, so if you go this route you probably shouldn't share your edited document. Also, I'm not going to share mine so please don't ask me for it. Hope this helps someone.


Anonymous said...

I am also unlikely to guess the protection password - pcidss

Black Fist said...

If that is seriously the password, I'm going to be pissed.