Audit and Assurance

Expand all | Collapse all

PCI DSS experts to rely or not to rely

  • 1.  PCI DSS experts to rely or not to rely

    Posted 19 Mar, 2019 10:40
    Dear Experts,

    Please help if you can explain to me more about PCI DSS, to what extent i can rely that the system is working properly or no
    Does PCI DSS cover the access management, change management, and IT operations,
    Can i say that the general controls are effective for the PCI DSS compliant entity.


    Marat Kaisseov

  • 2.  RE: PCI DSS experts to rely or not to rely

    Posted 19 Mar, 2019 10:48
    I suggest you start here:  Official PCI Security Standards Council Site - Verify PCI Compliance, Download Data Security and Credit Card Security Standards

    I did an audit a few audits ago where we checked for PCI compliance, and this is the place with much of the base information you will need.  Keep in mind that you will want to request a PCI attestation from your vendor, and that attestation should be done by someone certified to do that.  Also, which you will see once you review the materials, there are different levels of compliance, and you will have to use that to correspond to your audit client's environment.

    PCI attestation is not going to tell you if a system is working - that is up to the developers/users/etc in an organization.  The attestation tests for certain controls, not function, which may or may not be part of your audit scope.

    I do not recall in my audit the PCI attestation covering access controls, change controls, and what you are seeking.  Some of those would be the audit client's internal processes, and some would be covered in a SOC report if available.

    I am not a PCI expert, so others may offer more detail that I can.

    Thomas Miller
    Internal IT Auditor

  • 3.  RE: PCI DSS experts to rely or not to rely

    Online Forum Topic Leader
    Posted 20 Mar, 2019 03:16
    @Marat Kaisseov,

    In addition to the good information already​ provided by @Thomas Miller​ bare in mind that PCI DSS is ONLY interesting in the protection of payment card data.  I am not a PCI DSS expert either but IMO it is strong on confidentiality & integrity but weak on availability.

    Consider your own risks against the documentation provided by Thomas before making any final decisions.

    Best Regards,


    Ian Cooke
    Audit & Assurance Topic Leader
    ISACA Journal Columnist

  • 4.  RE: PCI DSS experts to rely or not to rely

    Posted 20 Mar, 2019 10:13
    While PCI-DSS is a good framework for overall security I would not rely on it for your enterprise in general.

    Typically an enterprise will divide itself up into PCI and non PCI segments so as not to have to be contractually required to get a Record of Compliance (ROC) for their whole network.  Not only that, it is best that they are separated anyway (read firewalls, orchestration, etc.) and you won't have to show your whole network, which may have proprietary processes, to an Auditor.

    With that said, if you have no other framework for your non-PCI segments it is a good start but it really focuses on keeping Credit Cards from being leaked.  Not all the controls for credit cards are transferable in whole to other types of data.

    So the first thing is segment your network.  Get yourself compliant with PCI-DSS for the PCI portion of your network (i.e. any applications that transmit, store or manipulate credit cards) and in parallel follow a framework (e.g. NIST, CIS Controls, Unified Kill Chain, SANS, etc.) for the non-PCI portion of your network.

    Russell Fairchild
    Program Manager

  • 5.  RE: PCI DSS experts to rely or not to rely

    Posted 20 Mar, 2019 11:17
    True, but i am checking one application which is used for the payments.
    So the question is,
    What does PCI compliance give me assurance on?
    Does PCI DSS - covers change management process ? Like if IT change something, it should be tested and approved and deployed by another person ?

    Marat Kaisseov

  • 6.  RE: PCI DSS experts to rely or not to rely

    Posted 20 Mar, 2019 11:45

    As others have indicated the best thing to do is check out the latest PCI-DSS 3.2.1 standards at

    It is not a long read and well worth your time.

    As far as change management and access management and most of the other things you would concern yourself in as far as Security, PCI-DSS covers.

    But as far as assurance, you need to specify whether you are talking the general definition of the word or the definition as used in IT Compliance.

    For the latter the only assurance that it provides is that if followed you have a good chance of obtaining your PCI_DSS ROC.

    Beyond that, there is no assurance that I know of.

    Russell Fairchild
    Program Manager

  • 7.  RE: PCI DSS experts to rely or not to rely

    Posted 20 Mar, 2019 11:52
    OBTW, in terms of the general sense of the word assurance, I would say No, PCI-DSS is not enough in my mind.

    But that is just me.

    Others may able to sleep at night with just PCI-DSS.  :)

    Russell Fairchild
    Program Manager

  • 8.  RE: PCI DSS experts to rely or not to rely

    Posted 20 Mar, 2019 12:17
    Okay Rusell
    If PCI DSS attestation gave u a report and tells u it checked somehow the access management and change management and that there is incident reponse team.
    Can i sleep well with it? OR do i need to test again and obtain the active users list and check who have access to what.
    Do i need to check the changes are configured or tested ? or its already covered by the attestation.

    What are the weak parts that i need to concentrate which is not much covered by PCI >?

    Marat Kaisseov

  • 9.  RE: PCI DSS experts to rely or not to rely

    Posted 20 Mar, 2019 15:04

    Hi Marat,

    As @Ian Cooke said,

    The weakest link of PCI DSS is the availability; there is no reference in the whole standard. No availability, no business continuity or disaster recovery.

    PCI DSS will give you enough details to implement technical procedures, controls and processes but the approach is not risk-based. (compliance).

    It's a good starting point, but then your risk assessment will tell you what do you need to protect your business/information.

    Does the standard provide assurance?
    Well, it depends on the business/information that you want to protect. Again for sure provide enough assurance for Confidentiality and Integrity. Don't forget this is a standard to protect Credit Card information.

    Does PCI DSS cover all the IT processes?

    ISO 27001 has a holistic approach and cover at a high level all the processes to protect information but is not detailed as PCI DSS so; you can map PCI DSS to ISO 27001 and have an idea of what is missing and what you need. Out there is plenty of articles and documents.

    Finally, have a look at the Verizon PCI compliance report. This will give you an idea of the challenges for implementing the PCI DSS requirements in business.


    Marco Ricci

  • 10.  RE: PCI DSS experts to rely or not to rely

    Posted 20 Mar, 2019 15:32
    Think of PCI-DSS as the bare minimum and also realize that it is a point in time or a period in time check.

    The biggest thing it does not address is process in a holistic manner.

    For security you must always be checking.

    As you well know even if you set up your environment perfectly, configurations will shift due to normal operations.

    Microsoft is looking to address this with Desired State Configuration servers that will help you set up your environment according to a template and constantly check that this configuration does not drift.  Other tools out there like Tripwire aim to do this also.

    The introduction of DevOps and Cloud present an even greater challenge to configurations management as they purposely look to speed up changes in the operational environment and abhor things that slow it down.

    So continuous auditing becomes a must.  You will need to embed in these tools automatic reporting and checking on a real time basis as traditional auditing will not do.

    So we could spend some time talking about where PCI-DSS is deficient or we can say, I will make my PCI segments PCI_DSS complaint but I will also institute a holistic approach such as ISO 27001 or COBIT5 to the management of my IT.

    PCI-DSS attestation is fine for what it does:  Keep the liability off you in the short run as long as you pass your ROC.  But it is no substitute for overall security for PCI and non-PCI segments of your network.

    Look at the processes that setup your environment and the processes that change your environment.  That is what PCI-DSS does not directly address.

    And yes, like Marco says, it doesn't address Availability.

    Russell Fairchild
    Program Manager