PCI DSS V4.0 Assessment Interviews: The Impact of Prior Planning & Technology

Introduction

At the age of 17, I began my long career in the Royal Air Force Police. At the outset of this career journey, I undertook a 7-week long residential Basic Police training course. A key component of this training included training on carrying out proficient interviews.

Now, at the time, interviews were carried out without any technological assistance, so all the interview notes had to be written by hand. This proved to be a very tiring and stressful process, which significantly impacted the ability to carry out a proficient interview.

Fortunately, soon afterwards, the RAF Police adopted and implemented the use of technology, using the NEAL Police Interview cassette recorder:

This provided a significant impact on the interviewers' ability to carry out more proficient interviews.

Importance Of Effective Interviews For PCI DSS v4.0 Assessments

13 years later, I wouldreturn to the RAF Police School to complete my 10-week residential Counter Intelligence specialist training course. This course included specialist Investigative Interviewer training, which helped to significantly improve my interviewing capabilities through the application of the PEACE Model of Investigative Interviewing:

A decade later, these interviewing skills would be called upon once more, during my role as a PCI DSS Qualified Security Assessor (QSA).

Interviewing is an important part of a PCI DSS assessment and now with PCI Security Standards Council 's enhancement of the PCI DSS to v4.0, interviews have become a significant contribution to the Reporting Instructions and the Assessment Findings.

• There are circa 75 of the 260 PCI DSS Requirements that involve interviewing personnel (162 Reporting Instructions) to help validate the effectiveness of each indivual PCI DSS Requirement.

The Application of the PEACE Model for PCI DSS v4.0

Effective Planning & Preparation for the interviews with an entity's key personnel, helps to improve the experience for the Interviewees and the Interviewers.

For example, reviewing the output from #.1.2 and 12.8.5 can greatly assist an interviewer to create a targeted and specific Interview Aide Memoire and Interview Notes templates:

Armed with this information, the Interviewees can go into their stakeholder interviews aremed with these extremely useful interview aides, which helps ensure that each interview covers all the points that need to be validated, via an interview.

For example, Requirement 1:

One-Page Interview Aide Memoire

Interview Notes Template

In addition, to these interview aides, technology can be of further assistance, for example:

• Remote Interviews Using 微软 Teams.

• Onsite Interviews Utilising Digital Voice Recorders.

Recommendations

From a long and successful career history of interviewing people, I am a strong advocate of the use of technology and the 6 P's (Prior Planning Prevents Pretty Poor Performance), so that the interviewer can go into all their interviews, confident that all of the points to be proven will be captured during the interview process.

This confidence will then help to set the interviewee at ease and by having a well prepared interview can assist with more proficient and time-saving interviews.

As part of the Planning and Preparation phase, use the assessed entity's Responsibilities Matrix and PCI DSS Requirements to identify which PCI DSS Requirements are applicable to the assessment and which stakeholders are responsible for these responsibilities.

Armed with this information, you can then create the supporting interview aides that are specific to each of the stakeholder interviewees.

Conclusion

Effective interviewing is far more involved than merely having a discussion between the QSA and the assessed entity's stakeholders and without sufficient planning and preparation interviews can become increasingly inefficient. This inefficiency can lead to mistakes, missed 'points to be proven' and time-wastage.

However, as you can see, through the use of effective planning and preparation and technology, the interview experience can be much improved for everyone involved.