Next year plan better and your assessment will likely go better. From time to time, organizations find themselves in the predicament of not being able to meet a PCI DSS requirement due to business or technical constraints. When the CCW was updated back in for v1. However, here we are at v3.
As a result, I think it is time to take people through a refresher on the CCW. Once that has been completed, you will then want your acquiring bank to review it to ensure that they will accept it as part of your self-assessment questionnaire SAQ or Report On Compliance ROC filing.
Failure to use the proper format will create issues with your QSA, your bank and with the Council, particularly if you are doing a ROC.
So please use the Council supplied format and not develop something on your own. If sensitive authentication data is received, render all data unrecoverable upon completion of the authorization process] was not allowed to have a CCW. At the Community Meeting, the Council backed away from that restriction and said that any requirement can have a CCW with no restrictions.
- Il signore della vendetta (Leggereditore Narrativa) (Italian Edition).
- Happy About Website Payments with PayPal: Answers to Over 40 of the Most Commonly Asked Questions?
- St Anthony of Padua.
While the Council tells everyone to have an individual compensating control for each requirement, there are some places where a compensating control is the same for a number of requirements. This most often occurs for requirements in section 8 around the various user management requirements or 6.
2018 UK IT Priorities survey results
I would highly recommend using one CCW per requirement, but I can understand why you might combine some. Just be judicial in combining them. Also, list not only the number of the requirement s , but also the text of the requirement from the Requirements column in the PCI DSS.
Believe it or not, I have had a lot of organizations provide just such simplistic and silly reasons for justifying a CCW. Proper justifications can involve budgetary constraints, timing e. If you do have a target date for addressing the CCW, this is where you want to provide that information so that readers know that the CCW has some time limit.
The original objective is the easiest part of the CCW to develop.
- Example use of Compensating Controls.
- Papa 3: Serial Teil 3 (German Edition).
- The Design Aglow Posing Guide for Family Portrait Photography: 100 Modern Ideas for Photographing Newborns, Babies, Children, and Families.
- Compensating Controls: Impermanent Solutions to IT Compliance Gaps.
- Posts Tagged ‘compensating control.
- Camí de sirga (El Balancí) (Catalan Edition).
If you are using the CCW for multiple requirements, this section can get rather lengthy and I would recommend identifying the Guidance information with its requirement to help understanding of the information. The next section can sometimes be the toughest to develop and that is identification of any additional risks because you are using a CCW. In some cases, there may actually be no additional risk perceived by using a CCW. However, if you are compensating for having to keep Windows XP running, that will likely be a very different story and depending on the compensating controls put in place, the risk could be moderately higher than not have XP around.
The key here is that it is that the risk should be assessed and then honestly discussed in the CCW. If you think you are going to say that having XP does not increase risk to your cardholder data environment CDE , I would seriously think again regardless of your compensating controls in place because any outdated Windows implementation is a security problem waiting to happen regardless of how you think you have mitigated the risk.
The compensating controls section is where the rubber finally meets the road. I recommend that people either bullet point or number list each individual control. The reason is that in the next two sections, you need to tie the validation and maintenance items to the controls in this section and doing some sort of list makes it easy for people to ensure they have covered all controls in each section. The most common mistake made in this section is organizations state that they have a project to remediate the issue s. Sorry, but this is NOT a control. It is nice information, but it is not a control that can be relied upon.
QSAs never want to ever see such statements made about future projects ever in this section. This section is all about what you are doing from a controls perspective to manage the fact that you cannot meet the requirement s. The list here can go on and on, but hopefully I have given you some ideas of how to create compensating controls that can actually compensate for your inability to comply with the requirement s.
One key point though is that you cannot use a requirement in the same requirement group to compensate for a different requirement in the same group. For example, requirement 6. You cannot write a compensating control for one sub-requirement in 6.
compensating control (alternative control)
So using our previous bullet list, here is what the control validation bullets would look like. Finally, you need to document what your organization will do to ensure that the controls remain implemented and effective. This is where most compensating controls fall apart. The organization gets through their assessment and then neglects to keep the compensating controls working. Using our list from the compensating controls section, the maintenance controls would look something like this.
A good idea in the maintenance section is to set timeframes for remediating any control testing failures. One other important item of note about the controls, validation and maintenance lists.
PCI DSS Compensating Controls – Blog - CarrollNet
CCWs must be shown to be in place and operating. A promise of implementing a control is NOT a control either. The control must be shown to be operating and maintained. That is an important point a lot of organization miss. If you are going to have to use a CCW, that means you will need to identify the situation early and then get the compensating controls implemented, validated and through at least one maintenance cycle before it can be accepted.
CCWs can buy organizations time while they address issues that will take longer to address than their PCI assessment period. Unfortunately, there are organizations that see the CCW as a way to be judged PCI compliant without addressing their serious security shortcomings. It is not unusual for large organizations to have a number of CCWs particularly if they have legacy applications and hardware. The QSA is required to document the network and describe any wireless the organization has implemented, regardless of whether or not the wireless has any contact with the cardholder data environment.
One of the largest breaches that ever occurred was the result of a poorly engineered and operated wireless network. As a result, to prevent future breaches due to wireless networking, the PCI DSS requires that the QSA ensure that any wireless, in or out of scope, is evaluated to determine if it is securely implemented. When an organization does have wireless networking implemented, the PCI DSS requires that wireless networking to be segregated from the cardholder data environment CDE whether the wireless is used to carry cardholder data CHD or not. Again, this is in response to the large breach.
Wireless is broadcast over public airwaves and an organization cannot be assured that someone is not eavesdropping on that broadcast. However, it is this broadcasting over public airwaves that trip up most organizations. People neglect or forget this fact and do not put in place the appropriate security and controls over wireless networks. As a result, the PCI DSS is trying to ensure that should wireless be compromised, the entire network is not also compromised by default. And even if an organization does not have wireless networking, under this requirement the QSA is required to document what procedures they used to determine that there was no wireless implemented.
As with requirement 1. For reference, requirement For an organization with only one or a few locations, this requirement is not that onerous. As a result, you get wireless intrusion solutions such as those from Motorola and AirTight to automatically detect unapproved wireless devices. While these solutions meet the requirements of There is the alternative of implementing other controls on the network which can also be used to meet this requirement that I have discussed in another blog entry. However, this compensating control has its drawbacks as well. At the end of the day, the bottom line here is that all organizations are required to ensure that wireless networking is either not present on their network or, if present, it is only their wireless devices and that those wireless devices are appropriately implemented and secured.
This is a very popular topic these days as more and more organizations have to rely on compensating controls to comply with the PCI DSS. With the exception of requirement 3. First, let us get familiar with what is required for a compensating control. However, in practice, I write some compensating controls addressing a single group of PCI requirements such as with 8. For requirements like 8. It is up to your QSA to determine whether or not multiple requirements can be covered by a single compensating control.
Identifying the business constraint should be the easiest part of a compensating control. Negative feedback could result in probation and revocation process for assessors. Experts say that as the standard evolves, the use of compensating controls will become less clouded. Although it's not an official compensating control, Nebel points out that network segmentation is one form of a compensating control.
Segmenting shouldn't be taken lightly, he said. Sometimes company executives believe they have segmented off the cardholder data, but the QSA discovers entry points to the main network. Nebel evaluated a service provider that claimed its cardholder environment was segmented. But after reviewing the documentation and assessing the controls in place, Nebel found the environment could be accessed administratively from certain workstations.
While network segmentation helps reduce the scope of a project, other areas, including PCI requirement 6. But securing Web applications is difficult and while some organizations could look at Web application firewalls as the answer, others will look for alternatives to satisfy the requirement, Rothman said.
PCI compensating controls: Loopholes or lifesavers?
Assessor has final say Rothman agrees that ultimately the success or failure of implementing a compensating control will come down to the judgment and experience of the assessor. A company that has its credit card data protected by several layers of security and can only be accessed by an internal person with the proper administrative controls will likely meet the encryption requirement via a compensating control, but it will all come down to the assessor's judgment, Rothman said.
There are no generic answers -- every company has a slightly different environment around credit card transaction systems -- so that's why compensating controls are unacceptable for the first assessment, Rothman said. The PCI Data Security Standard lays that out, saying that companies should be aware that a particular compensating control will not be effective in all environments. As a QSA, I have to look for weaknesses and make sure things are implemented and managed properly. Is this control adequate? Does it meet the requirement?
If it's cheaper, that's OK. Augmented intelligence assists humans in completing tasks that artificial intelligence can't yet handle. CIOs should invest in Experts question the security audit and government agency vetting that took place before the GovPayNow leak, which affected With the use of security operations centers comes the need for effective security metrics to gauge SOC performance and improve Belkin International's Linksys unit has launched a cloud-managed Wi-Fi system.
Linksys is tapping MSPs for help in selling Cloud Juniper Networks has introduced the Contrail Edge Cloud. The platform for running service providers' network edge applications After years of stagnation, the access-layer network is in need of a makeover. Implementing software-defined configurations is As part of vSphere 6.
The Nvidia and VMware partnership Although, compensating controls can be tempting to implement, they are going to hurt businesses in the long term. Subscribe to get regular updates from Help Net Security. The weekly newsletter contains a selection of the best stories, while the daily newsletter highlights all the latest headlines! Trust issues with your firewalls? Eliminating vulnerabilities that accompany firewalls is a click away. They will prevent security breaches Relying on compensating controls will not help prevent fraud or security breaches. A compensating control will be effective in all environments Many companies operate under the belief that a compensating control that works in one environment will work just perfectly well in another.
Four misconceptions around compensating controls. Browser makers move to mitigate risk of Spectre browser attacks. Newsletters Subscribe to get regular updates from Help Net Security. List Choice Weekly newsletter Daily newsletter.