Security Standards- PCI, SAS70/SSAE, AAA NAID

By Dag Adamson

Security compliance requirements present complications for IT asset management professionals and their respective IT asset disposal vendors and data destruction service providers. In addition to federal and state regulatory requirements, industry stakeholders have introduced and have raised the bar to include more sophisticated and prescriptive measures to protect personal identifiable information (PII). Since some industry-created security standards have existed for more than a decade, they have passed the test of time. However, only certain parts of these security standards are applicable to secure IT asset management and disposition. The following summary will provide the background for both ITAM professionals and vendors alike, an overview of these standards, and how they apply to provide a secure ITAM/ITAD solution.

PCI-DSS – The Credit Card Industry Addresses Privacy

Consumers’ growing concerns about their personal information and credit card numbers being compromised and potential government intervention caused the credit card industry to react with the creation of the Payment Card Industry – Data Security Standard (PCI-DSS) in 2004. The global organization was founded by collaboration between American Express, Discover, JCB, MasterCard and Visa. Collectively they comprise the Standards Security Council.

Some interesting facts about fraudulent credit card losses:
  • While the actual losses may appear astronomical ($16 billion in 2014), they represent only ½ of 1% of all transactions. Most credit card companies forgive any fraudulent charges.
  • Compliance with PCI-DSS is not mandated by federal law; however several states including Nevada, and Minnesota and Washington have incorporated all or a portion of the standard into their state regulations.
  • PCI provides standards and guidance for merchants, financial institutions and their service & equipment providers.

Ecosystem payment devices, application, infrastructure and users

Overview of PCI-DSS

The PCI-DSS is comprised of two major categories – “Control Objectives” and their respective “Requirements”:

Control Objectives and PCI-DSS requirements

While all of the above requirements apply to merchants, financial institutions and processing/service partners, only a few of them are closely aligned with asset management and disposition activities.

Passwords (Section 2)

All organizations should have password policies and requirements. Without these security measures, hackers could potentially compromise an asset management, discover, or wiping platform in order to penetrate credit card storing devices. Multiple-word passwords that incorporate numbers and special characters offer the best defense.

Restrict access to cardholder data (Section 9)

Within the restriction of cardholder data, there are two requirements that apply to ITAM and ITAD:

9.8.2 Render cardholder data on electronic media so that it’s unrecoverable
9.9.1 Maintain a up-to-date list of devices

  • Make Model Serial Number
  • Location
  • Serial Number

In order to ensure that data is unrecoverable, the standard requires that a secure wipe is performed with “industry accepted standards for secure deletion” or “physical deletion of media”. This methodology is open to interpretation. While other parts of the standard specify NIST guidance or other standards, this is the only section in which NIST is not specified and therefore is open to interpretation.

The guidance section of the standard it goes on to safeguard against “dumpster diving” and using containers that “could have a lock” to prevent unauthorized access. It also states that degaussing, wiping, and crushing represent suitable methods of destruction. Note: the U.S. National Security Agency (NSA) considers degaussing to be the only assured form of data destruction for magnetic media.

Many of the PCI-DSS recommendations demand the same requirements found in AAA NAID certification or, at a minimum, using elements of the NIST 800-88 Guidance document.

In order to comply with the PCI-DSS requirement of maintaining an up-to-date list of devices, IT asset managers and their associated ITAD service providers need to maintain tracking of active and retired assets.

Getting Certified

There are three primary entities that fall under PCI-DSS: (1) financial institutions, (2) merchants, and (3) service providers. Clearly, banks and retailers are on both ends of handling the monetary component of a transaction.

Service providers fall in to four subcategories:

  • Processing
  • Storage
  • Transmission
  • Other

The “Other” category includes: hosting /cloud providers, managed firewall solutions providers, and intrusion detection providers. Interestingly, ITAM/ITAD, data destruction providers are not specifically identified. In fact the standard suggests contacting the “applicable payment brand” to identify if the service provider needs to be audited.

At minimum, service providers are screened for compliance by meeting the following testing criteria:

  • Successfully passing “Approved Scanning Vendor” (ASV) inspection
  • Completing a “Self-Assessment Questionnaire”
Approved Scanning Vendor (ASV)

An ASV is a PCI-certified firm that performs external I.T. vulnerability-testing. An ASV’s activity is designed to help identify potential issues that could be exploited by external hackers. It is not a guarantee that an entity could or would not be hacked in the future.

Self-Assessment Questionnaire – SAQ-D for Service providers

PCI requires that merchants and financial institutions that process over one million transactions be audited by Qualified Security Assessors (QSA). For smaller merchants and financial entities, a Self-Assessment Questionnaire (SAQ) is used to identify compliance. In the case of service providers, a similar assessment called a “Self-Assessment Questionnaire – D” is used, regardless of the type of business in which they are engaged. Since it is a generic form, very few of the requirements are applicable to ITAM/ITAD.

Conclusion on PCI

For financial institutions and merchants, PCI-DSS is a requirement when handling credit card information. For larger institutions with high transaction volumes, a Qualified Security Assessor will “certify” an entity by providing a Report on Compliance (ROC). Smaller organizations and service providers will ultimately fulfill the requirements by completing a Self-Assessment Questionnaire –D and passing testing by an Approved Scanning Vendor.

SAS70 – SSAE16 – Accountant/Auditors – Auditing Financial Controls

To provide valid and accurate financial reporting, accountants assure that there are proper financial controls in place. The American Institute of CPA’s (AICPA) created the Statement of Accounting Standard 70 (SAS70) in 1992 to provide a framework for auditing these controls. Over the subsequent decades, the Internet, and large-scale outsourcing of business functions emerged. In addition, international accounting standards such as the International Statement of Assurance Engagements (ISAE) 3402 from the International Federation of Accountants emerged. In 2011, the AICPA introduced the Statement of Standards Attestation Standards 16 (SSAE 16) to supersede SAS70 which also included elements of the international – ISAE 3402.

A common misnomer in reference to SAS70 or SSAE 16 is “certification”. There is no “certification” for either. Rather, there is a report or a Statement of Control (SOC) report that comes in several different forms:

SOC 1 – is a report that attests to the controls that a service organization asserts to have in place that may be relevant to a client’s control over financial reporting.

SOC 2 – is a report that monitors the performance over a period of time that evaluates specific areas around security, availability, processing integrity, confidentiality, and privacy

Since these reports are intended to be used internally or amongst service provider and client auditors, a third report is available:

SOC 3 – similar to SOC 2, performing performance monitoring of security principals to be used in marketing activities without divulging what specific testing was performed.

Obtaining an SSAE 16 Audit

Service companies providing outsourced services that would have a direct impact on the financial reporting of a client company would seek an audit for compliance to SSAE 16. Some examples of outsourcing companies seeking SSAE 16 audits include:

  • Payroll Processors
  • Loan Servicers
  • Data Centers / Co Lo / Networking Monitoring firms
  • SaaS Providers
  • Medical Claims processors

Large accounting, IT consulting, and security consulting firms provide both pre-audit and auditing services in compliance with prescribed AICPA standards.

Conclusions on SSAE 16

SSAE 16 is a tool for financial auditors to provide a disclosure on the controls for financial reporting. There has been some criticism concerning the positioning of SSAE 16.

“SAS 70 is basically an expensive auditing process to support compliance with financial reporting rules like the Sarbanes-Oxley Act (SOX),” said French Caldwell, research vice president at Gartner. “Chief information security officers (CISOs), compliance and risk managers, vendor managers, procurement professionals, and others involved in the purchase or sale of IT services and software need to recognize that SAS 70 is not a security, continuity or privacy compliance standard.“

SSAE 16 is an audit disclosure or report to convey which controls are in place.

Other than providing accurate inventory data for asset depreciation and recognition to accounting departments, there appears to be little applicability of SSAE 16 to ITAM and ITAD providers.

Security Certifications for Service Providers

ITAD service providers have a variety of options to demonstrate third-party audited secure data destruction.

AAA NAID Certification

The most comprehensive secure data destruction certification is issued by the National Association of Information Destruction (NAID). NAID has maintained data destruction standards and certifications for different media types and service delivery models for over 20 years. While membership in NAID is not the same as certification, roughly half of its members are annually audited and random and surprise audits.

AAA NAID certification is oriented toward the service requirements defined by the customer. Many customers are concerned where data destruction is provided. NAID maintains data destruction standards for service companies that provide:

  • Mobile or onsite data destruction services
  • Plant-based data destruction
  • Custodial services involving the transport of sensitive material to be destroyed at a plant-based service provider

NAID has established protocols for data destruction based on the type of media. With its roots in paper media and micro media (microfilm-fiche) NAID quickly grew to certify specialized protocols for magnetic media.

Lastly, NAID is very prescriptive on its standards for physical, or sanitization methods.

In addition to service delivery and its methods, NAID maintains the highest standards regarding physical operations and employee requirements. Some examples include:

  • Physical security of building and monitoring
  • Who has access to material to be destroyed
  • Background checks
  • Drug screening and testing
  • Chain of custody
  • Record keeping
  • Surprise audits

Service companies involved in either data destruction or in transport or storage of sensitive data typically obtain AAA NAID certification. Certification is provided either by a third-party auditor assigned by NAID or an ISO auditor.

The benefits of the AAA NAID certification are numerous. With AAA NAID certification, service providers can meet the requirements of:

  • The Fair and Accurate Transaction Act (FACTA)– meets requirements for auditing of service providers
  • HIPAA – safeguarding and assuring the protection of health records and PII
  • PCI – everything from secure infrastructure to actual data destruction requirements

With its sole focus on data destruction, AAA NAID certification offers both customers and service provider a comprehensive framework and certification for protecting information.

R2:2013 and e-Stewards v2.0

R2 and e-Stewards are the baseline for independent and third- party certification for sustainable IT asset disposal. R2 was founded in 2008 and e-Stewards was created in 2009. Each standard is managed by different organizations and have different objectives. However, both certifications address data security concerns. A commonality between the two standards is the requirement for data destruction and a recommendation to follow NIST 800-88 guidelines.

With the focus of these standards is on proper and sustainable handling of environmental hazards and defining how to classify a waste and a product, there are minimal prescriptive measures to ensure data privacy. E-Stewards provides more depth than R2, however neither is as robust as AAA NAID certification when it comes to addressing data privacy concerns.

Conclusions on Data Standards

Companies that handle payment card information, or provide outsourced information systems that process financial data need to have data security controls that are audited by PCI-DSS and SSAE 16.

Service providers offering services to these organizations, at a minimum, need to ensure that they have proper controls in place and are familiar with the SAQ-D (self-assessment questionnaire). Since many service providers process payment cards themselves, it is likely that their payment card vendor will require testing from an ASV (approved scanning vendor).

From an SSAE 16 perspective, organizations involved with vendors that provide processing, storage and transmission in day-to-day operations operation would consider SSAE 16 as an auditing tool to identify risks. From an ITAM and ITAD vendor perspective there is little evidence obtaining a statement of controls report would add much value.

ITAM/ITAD audit regulatory report vs industry certifications

While R2 and e-Stewards offer a baseline of data security requirements, AAA NAID certification provides more thorough and robust requirements for protecting data and meeting the needs of PCI and SSAE16.

About the Author

Dag Adamson was the founder and President of LifeSpan, one of the first national ITAD services companies with locations across the US with R2 e-stewards, AAA NAID, ISO, OHSAS certifications. He is presently consulting to Fortune 500 companies in order to assist them in building next generation, secure, data destruction programs.