PCI-DSS and the Pervasive Certification Myth

The pervasive certification myth is so pervasive in PCI-DSS that we are going to give it its own Acronym: PCM. Because we are so tired of having to explain this over and over, we are going to canonize this corporate disease called PCM and forever immortalise it as the one of the most deluded, misleading and misinformed quackery to ever blanket the PCI-DSS industry, the same sort of quackery that insists urine therapy should still be used today for natural teeth whitening. Yes, it seems appropriate to compare these two in the same breath.

Please note that the below article is satirical (borne out by our immense frustration and oftentimes resignation that this will never be properly sorted out, ever).

PCI-DSS and PCM

The history of PCM has its roots in PCI-DSS itself being considered as a standard that can be certified against. Because of the name, Payment Card Industry Data Security Standard, immediately, fairly important people in the financial and banking industry who generally prefer to spend more time golfing and drinking fine wine than to actually read the standard and understand it better – these people concluded that like any other standard, there must be a certificate to ‘prove’ you are compliant. I mean, why not? ISO9001 has it. ISO27001 has it. Additionally, these were the same people who insist on having a certificate for literally everything that they do in their corporate life, from attending a half hour seminar talk on how to grow daffodils, to sleeping though a computer based training webinar; to providing a poor soul whose car has broken down some assistance in pushing it to the side of the road. Where’s my certificate to prove that I helped you, my good man?

Apparently, certificates are absolutely critical to our financial industry, without which our entire economy would surely descend into the Dark Ages of Financial Purgatory. In the same way, it has perpetuated into PCI-DSS that despite everything that the PCI council has said and has begged the entire industry to reject this PCM quackery, 99% of the time, we are still faced with the mind boggling, soul numbing, heart wrenching email or question stating: I want to see your PCI certificate.

Here’s the official statement from PCI council:

FAQ #1220

Are compliance certificates recognized for PCI DSS validation?

 

No. The only documentation recognized for PCI DSS validation are the official documents from the PCI SSC website. Any other form of certificate or documentation issued for the purposes of illustrating compliance to PCI DSS or any other PCI standard are not authorized or validated, and their use is not acceptable for evidencing compliance. The use of certificates or other non-authorized documentation to validate PCI DSS Requirement 12.8 and/or Requirement 12.9 is also not acceptable.

 

The PCI SSC website is the only source of official reporting templates and forms that are approved and accepted by all payment brands. These include Report on Compliance (ROC) templates, Attestations of Compliance (AOC), Self-Assessment Questionnaires (SAQ), and Attestations of Scan Compliance for ASV scans. Only these official documents and forms are acceptable for the purposes of compliance validation.

 

Because certificates and other non-authorized documentation are not officially recognized, entities that receive these documents to indicate their own compliance (for example, from a QSA or ASV) or another entity’s compliance (for example, from a service provider) should request that official PCI SSC documentation be provided. Any organization issuing, providing, or using certificates as an indication of compliance must also be able to provide the official documents.

OK.

We actually would prefer the answer to just be: “No. For heavens’ sakes stop asking the council such questions and waste our typing time on the keyboard!” But we are not the council. Else we will be out of work within a day.

You ask then: Wait a minute, if there is no certification, what are we supposed to submit then?

Well the answer to that is: it depends.

If you are a level 1 merchant or service provider, then you submit your Attestation of Compliance (AoC) signed off by yourself and the Qualified Security Assessor (QSA) or Internal Security Assessor (ISA). You may also submit your ASV scan reports, or if requested your full Report of Compliance (RoC). But rarely those last two are needed. What is needed is the AoC. That’s your PCI ticket. If you are doing a self signed Self Assessment Questionnaire (SAQ), you submit in your AoC, and if required the full SAQ documents with your response on the applicable questions.

I suppose we (the consultants, advisors, auditors) didn’t help in stopping this PCM disease ourselves, by oftentimes referring to Level 1 as a PCI ‘certification’. It’s more of figure of speech than anything, meaning that a third party is to validate your compliance as opposed to you doing a self validating process under the Self Assessment Questionnaire (SAQ) path. So we end up saying certificate, certificate, certificate and finally everyone asks, well, then, where is my certificate? As in the actual, real certificate, and not this figure of speech one?

It also doesn’t help that most (if not all) QSAs play along with this ridiculous fallacy. They will come up with their own ‘certificate’, made to look very official, very grand, very formal and very important looking. You know, those papers with flowery borders at the side and some huge bold statement saying, So and So are official certified, and signed off by a very important person. Some even put a seal in there for good measure. As if they graduated from Hogwarts.

The truth is, that certificate paper is just piece of paper. It’s not acceptable in any way for PCI-DSS and shouldn’t even be requested by acquirers or banks. Yes, no matter that the QSAs even make it look like it’s gold laced, and our customers print it out in all its Arial font glory, and spend a few bucks to frame it up nicely. That’s all well and good, and they are entitled to do anything with it, but PCM rears its ugly head when acquirers, banks, customers and clients insist on having it. INSIST.

If you have gone through the level 1 validation with a QSA and that QSA is able to provide one of these certificates, as a consequence of the PCM disease, then I suppose it’s fine, you can just play along as opposed to haranguing them about the PCM disease like what we are doing right now. Just provide them that dratted document. This does increase the myth further though, and it starts infecting the entire industry even more, because, now the acquirer/client/bank will go to another company and declare they need the certificate that the other merchant had provided. Until they reach a small company who is doing their own SAQ, whereby they say: “Yes, even if you are doing a level 4 merchant compliance, you should still be having a certificate! Come on now, chop chop!”

And that’s what we are facing.

Without exposing which industry right now we are assisting (those following our recent blog posts may venture a very educated guess), we are helping a lot of merchants undergo level 4 self signed SAQs. This is absolutely allowed by PCI-DSS. There is zero requirement to get QSAs involved. ZERO. In fact, PCI council printed this out in their Top 10 myths of PCI-DSS.

So now, our clients want to submit their compliance document (AoC) to the group requesting for it and here is the summary of response they received: 

a) The group requesting our client’s compliance says that the SAQ needs to be sent over to the QSA so that the correct SAQ type applicable to our client’s business will be determined. (WHAT?!)

b) Our client only now has to submit the PCI DSS compliance certificate.

I looked at it and we just shrugged. Resignation. PCM. This is what this disease has caused.

Firstly – the first phrase is proof that the writer has not bothered to even understand the background of SAQ and PCI.

No. The SAQ DOES NOT NEED TO BE SENT TO THE ASSESOR! It doesn’t even make sense. You are telling me to send the assessor the SAQ document I filled up so they can determine what SAQ I need to fill up? What sort of recursive devilry is this? Is this one of those tricky while-do loop we do as programmers that never ends because the condition to end is the condition to begin as well?

How many times have the PCI council stated that it is not the QSA’s role to define the validation requirements of the merchant, or the service provider or the bank. It’s NOT. The QSA’s role is to assess based on whatever validation requirements that has been determined. Yes, they can advice. Yes, they can with their amazing experience and god-like understanding of PCI-DSS, suggest which validation requirement to take. But at the end, the acceptable validation requirements are based on the bank, the acquirer, or worst case whichever company requesting the merchant to be compliant. If none, then the validation requirements must fall back to the guidelines provided by PCI SSC, which means, it falls back to the individual card brands. We are not going to go into that for now, but in general, VISA/Mastercard has an agreement on merchant levels, but Amex has some weird levels of their own. What we are stating is that, if a merchant is considered a level 4 merchant based on its volume, but the acquirer decides that they must still undergo Level 1 validation, then that’s the acquirer’s call. But it’s never the QSA/consultant to decide this. The QSAs job is to assess the company against the validation requirements and have an opinion if it is pass or fail. The type of validation is determined by the acquiring party. So, no the first sentence is already incorrect, never mind the recursive gibberish.

The second sentence is where PCM disease kicks in. Because nothing is known about the ‘AoC’, everyone immediately assumes that the certificate is an official document from PCI-DSS and it should be sent in. No. If the merchant is doing a level 4 self signed SAQ, that is 100% allowed by the council and by their acquirers, where in Thor’s Holy Hammer are they going to get a certificate to fulfill your insatiable lust for PCI certificates??!!

I am tempted to just have my 5 year old son draw a smiley face on an A4 paper, and stick one of his favourite Cars 3 character sticker on it, sign off and laminate it.

Go ahead – I dare you to google “PCI certificate” and click on ‘images’ and see the result of PCM in our world. Thousands upon thousands of PCI certificate documents, some even daring to put the PCI SSC logo on the certificate as if to say PCI SSC has endorsed the certificates, to provide these documents an air of official integrity. Even worse, we see QSAs giving ‘certificates’ for clients undergoing SAQs. Wait, if they have audited them, then OK, fine. But if is a self signed SAQ, how can certificates be even provided?

We are not saying what they are doing is wrong. No, it’s not wrong to provide a PCI certificate. But PCI SSC has clearly stated that if you guys want to do this, you must state clearly that these are not official PCI documents and these are supplementary, not mandatory and only provided by the QSA/ASV and not endorsed by PCI-SSC and cannot replace the official documents like AoC or RoC. Basically, PCI is just saying, “Put it up in your office or your lobby so you can brag, but please don’t show it to us and say you are PCI compliant, we rather be looking at a piece of art written by a 5 year old kid with some Cars 3 character sticker on it.”

Finally, to end this article (or rant, it may seem to some). The reason why this is written is to drive home the fact that PCI-DSS has no actual paper certificates. None. Whatsoever. The actual document you should be requesting for is the Attestation of Compliance (AoC). Please do not ever request for the Certificate of Compliance ever again because this means, you are guilty of spreading the epidemic of PCM across the world.

Note: This article is meant to be satirical, for us to blow off steam and not intended to offend any party or to dispense actual advice. There is actually no such thing as an official PCI Pervasive Certification Myth. At least, it has not yet been officially defined, as far as we know.

 

 

 

Leave a Reply