The latest Assessor Newsletter from the PCI SSC finally crosses T’s:
Aligning Expectations: Assessor and Acquirer Interactions
Through discussions with assessors and acquirers, we’ve realized a need to recalibrate expectations. Assessor and acquirer interactions rely on two premises – the acquirer as final arbiter of risk and the assessor as PCI subject matter expert (SME).
Occasionally, assessors may pursue an approach for clients that deviates from the norm – for example, an assessor’s intent to support control reduction consistent with SAQ P2PE with non-P2PE listed encryption solution use. In these cases, assessors must act as PCI SMEs, presenting fully formed recommendations supported by evidence and experience to the acquirer. The acquirer then executes informed acceptance, with view into the approach and opportunity to raise questions or conclude that the approach is not acceptable to the acquirer.
Assessors should also provide detailed explanations of the role they performed in assisting with a merchant’s self-assessment in part 3c of the SAQ AOC. Acquirers are reviewing this documentation to validate a merchant’s PCI DSS compliance. It is important to remember that clearly defining how the assessor is involved with the assessment may prevent follow-up questions to both the merchant and the assessor.
What shouldn’t happen is assessors asking acquirers to determine approach or details of execution. Assessors cannot expect acquirers to have the same technical experience required to determine appropriateness. Further, it is unnecessary to ask the acquirer to sign any document stating approach agreement. More reasonable is documenting that due diligence in ROC/AOC reporting and retaining related emails or correspondence notes within the work papers.
Much like an entity outsourcing to a service provider, assessors cannot outsource responsibility for an approach that is not defendable. AQM is not intending to imply that as arbiter of risk, the acquirer’s opinion should supersede the assessor’s opinion in cases where the assessor is not comfortable with an approach supported by the client or accepting entity. The assessors’ value lies in independence and an assessor should not pursue approaches that conflict with their knowledge or endanger their ability to comply with the QSA Qualification Requirements.
Regardless of the standard (in the newsletter the P2PE was mentioned within a PCI-DSS compliance), QSAs must always be as clear as they can, retain all conversation notes, e-mails, everything in the working papers. If something smells funny, due to some Fosbury approach supported by your client and/or you do not feel comfortable due to your lack or the abundance of overpowering skills, go to the acquirer who will have the final word.
Otherwise, if you want to shoot, shoot. Do not talk.
Happy Auditing! 🙂