Payment gateways and payment processors have to pass PCI requirements just like merchants do. And they don’t like it any more than you do, as evidenced by recent post by Stephen Ames of Shift4. He is pissed about a new interpretation of PA-DSS, provided to his QSA outside the officially published guidance and standards, which places PA-DSS section 4.2.7 always in scope. From the post:

However, my PA-QSA stated that PA-DSS Requirement 4.2.7 is now always in scope, regardless of whether or not there is a user database within the application. … I’ve searched the PA-DSS for a security requirement that aligns with PCI DSS 11.5 – File Integrity Monitoring – and there are none. I’m certain that most application vendors would not take responsibility for file integrity monitoring at merchant sites. And I’m unable to understand why the SSC is forcing that upon application vendors, when they don’t even have that requirement written into the PA-DSS.

I searched the PCI FAQ database and found no reference to a reinterpretation of PA-DSS Requirement 4.2.7 requiring vendors to take responsibility for file integrity monitoring of their PA-DSS applications running in merchant environments. Once again, PA-DSS Requirement 4.2.7 aligns with DSS Requirement 10.2 and user access, not DSS Requirement 11.5.

… and …

“The SSC sends out compliance guidance to the assessor community.” … it now appears the PCI SSC has fallen back into its old ways of keeping participating organizations in the dark.

While file activity monitoring – and database activity monitoring as well – are often used as compensating controls for PCI-DSS section 10.2, they are not prescribed in the standard. But rather than accept an ‘always-on’ requirement – and what policies would be appropriate without a database to monitor? – Mr. Ames is trying to engage the community to devise a rational policy for when to apply monitoring and when not to.

But Stephen is not going to get a better response than “those assessors are drinking the PCI Kool-Aid”. No matter whether his arguments make sense or not. They cannot. Several assessors I know have received phone calls from the PCI Council after writing blog posts or comments that interpreted – or worse, ameliorated – PCI scripture. They were reminded that they must always frame the PCI standard in a positive light or forfeit their ability to remain an assessor. So no frank public discussion will take place.

This sort of thing has been going on for a long time without signs of getting better. The PCI publishes the PCI standards, which are insulated from public critique by the mandatory requirements signed by assessors and participating organizations. So even the most knowledgable parties who advised the council can’t speak out because that would break their agreements! That’s why, when things like non-guidance guidance are published, there is little subsequent discussion. By design, information only flows in one direction: downhill.