PCI Requirements for Working Papers Means More Work for Merchants, QSAsBy: Gavin Weir
"The more you know, the less you know" is an apt phrase to apply to the ever-expanding world of Payment Card Industry (PCI) DSS and the PCI Council's roadmap. This is particularly true with regards to the oversight the council wants to exert in the area of working papers, or backup documentation.
In short, the new mandates will require additional effort from both merchants and QSAs. As a result, the re-assessment process will need to begin earlier for compliant merchants. The increased assessment time will have a corresponding impact on cost. Since this cost will be the responsibility of merchants, they will have to budget resources accordingly.
The Roots of ROC Quality Issues
When PCI assessments began, the PCI Council had no access to Reports on Compliance (ROCs) and associated due diligence documentation. It was the acquirer's responsibility to review the ROCs that were submitted by their merchants.
Not surprisingly, the quality of ROCs suffered. Many QSAs will remember the standard response, it was verified by review of documentation that this requirement is in place. With no formal obligation to provide backup documentation, some QSAs even completed assessments via the phone, with little or no verification that PCI requirements were actually being met in practice. As you can imagine, this alarmed the council, and rightly so.
PCI Council Introduces Rules on ROCs and Working Papers
Enter the PCI Council plan to improve the quality of ROCs. To effectively monitor progress, the council added requirements for access to the ROCs for sampling purposes. In addition, the requirement to provide access to working papers made its way in, generally unnoticed or unappreciated at the time.
Since then, the quality of ROCs has gradually improved, mainly due to the introduction of the reporting instructions which specify how individual testing requirements are validated.
Now, however, the council wants confirmation that the assessment was actually carried out as detailed in the ROC: that the QSA performed the specified sampling, conducted the appropriate interviews and reviewed relevant documentation.
Why the PCI Council Changed the Rules
The PCI Council was presented with beautifully crafted ROCs, even though they were template driven. But did the ROCs accurately reflect the PCI assessment that took place? The only way to verify this was to give the PCI Council access to working papers.
QA and the Audit Framework
The PCI Council is now expanding the QA process and introducing an Audit Framework. Companies that carry out QSA assessments can be placed in remediation if their ROCs fail to meet the updated reporting instructions.
We expect that the next logical step will be that the council will sample the working papers of passing ROCs to confirm that documentation is available to support the verification statements.
All documentation and supporting materials must now be collected and retained a time-consuming process that will doubtless lead to new questions on how such data should be archived and managed.
A redaction process to eliminate proprietary corporate information may also be necessary. Merchants are understandably nervous about exposing sensitive details of their business, so there may be a requirement to redact any working papers that are submitted to the council. While it is practical to redact a ROC, it is clearly impractical to redact all working papers. This is yet another challenge that will need to be addressed.
It's evident that the new requirements will require additional time, effort and resources for both merchants and QSAs. Since merchants will bear the brunt of the costs, they should plan for additional time and budget for assessments, whether it's their first ROC or they've been through several.