Lapse of Control: Applauding PCI SSC for FAQ 1572
I want to applaud the PCI Security Standards Council (PCI SSC) for FAQ 1572 published in March of 2024 for simply and effectively answering a question asked by countless assessors for several years.
The question is: Can a compensating control be used for requirements with a periodic or defined frequency, where an entity did not perform the activity within the required timeframe?
Every QSA with whom I have discussed confirms that they have helped companies who had a temporary lapse of required security controls. We have all seen lapses in meeting vulnerability remediation SLAs, obtaining passing quarterly ASV scans, and so much more. To what other security controls might this apply? Honestly, to any of the controls which must be done periodically throughout the year, and those tasks are being detailed soon in an upcoming blog.
The difficult scenario is when it is time for the annual PCI assessment, and all security controls are again in place. A compensating control does not seem appropriate, because there is no longer a lack of controls to compensate.
On the other hand, these controls are not considered compliant if they are not compliant throughout the entire audit period, so a status of ‘In Place’ isn’t quite right.
The FAQ speaks for itself:
“In these scenarios, an assessor can determine a requirement to be “In Place” if the entity has implemented corrective actions and successfully performed the control in accordance with the requirement, and the assessor has assurance that:
- The entity has a repeatable and documented process for performing the control,
- The entity demonstrates that the activity was missed due to an exceptional circumstance (poor security practices and recurring failures are not “exceptional circumstances”),
- The entity shows that they have addressed the issue that led to the exception, and
- The entity has included steps in their process to prevent recurrence.
- If the entity cannot demonstrate the above, or the assessor does not have assurance that the entity has processes in place to continue to meet the requirement, the assessor can consider whether a “Not in Place” finding would be the appropriate result.”
Something that is not covered in the FAQ is the subjective topic of identifying failures as either an exceptional circumstance that is now compliant, versus an egregious failure resulting in a non-compliant control and report overall. It should be obvious that a last-minute resumption of control cannot make up for a year of non-compliant security operations.
An exception to year-round compliance is allowable for an entities’ first assessment where controls can be in place without establishing an entire compliant prior year. For ASV scans, the first year exemption is explicitly stated, but this first year grace applies to all controls.
PCI QSAs continue to have discretion about when a lapse in security control is not compliant. Lapses in security control are not constrained to periodic controls but are meant for all controls to remain in place throughout the year. Take formal documentation like policies, standards, network diagrams, card flow diagrams, and PCI scoping reviews, for instance. Though these things need to be reviewed only annually, they are expected to be kept up to date, especially in the case of PCI-significant changes. For this reason, lapses in security controls can occur for the entire DSS, and the FAQ is potentially helpful across the entire DSS.
Why was this FAQ needed? Several times, the PCI SSC has stated from community meetings that periodic compliance controls must be in place throughout the year. Until now, questions on how to handle such temporary lapses have been side-stepped. I encourage the PCI SSC to similarly answer other difficult compliance scenarios in such a simple and direct manner.
My favorite characteristic of this FAQ is that it is much shorter than this blog entry. In that spirit, I'll keep this brief: Thanks for reading!