Background Checks on AIs and Other Challenges in the PCI World

Dan Stocker, Practice Director, Payments, Cloud & Tech

Coalfire has noted a number of leading-edge technological challenges for enterprises managing the rapid pace of innovation while also aiming for PCI compliance. We'd like to review our recent experience and offer suggestions for these comparatively novel situations.

Logical Access

Use of private blockchain for authentication purposes is relatively new, but can be problematic without adequate management of per-identity private keys. Account lockout in this context would definitely require administrator reset, which is inherently more disruptive (especially for lean organizations). The rotation process is also generally more cumbersome than for passwords.

As a deterrent to AI-powered hacking attempts, clients may employ psychological challenges designed to provoke an emotional response (Voight-Kampf tests). Essentially, it should be considered a non-biometric Third Factor. Coalfire recommends consulting with law enforcement regarding applicable local laws.

From a compliance perspective, biometrics using implanted technology will require an Attestation of Compliance (AOC) from the user's doctor or system integrator.


With the advent of quantum cryptography, please keep in mind that the use of quantum-entangled symmetric encryption keys requires careful key management procedures. Any violation of the Heisenberg Uncertainty Principle will require a Compensating Control.


Innovations in the Internet of Things space are allowing clients to build on the popular Software-Defined Perimeter (or Identity-Aware Proxy) pattern by expanding the dimensions of environmental data used for security policies. In particular, user implants that monitor health and user activity levels can provide extra 9s of risk management. Users with multi-tasking problems, or under the influence, may temporarily have their access levels curtailed. Users' immediate surroundings can also be factored into this decision. Catching up on email in the bathroom could be considered a risk factor.


Using a private blockchain as a means of log persistence (with built-in immutability) has found some organizations facing stark choices among the various distributed ledger options. Throughput is clearly a primary value, but Coalfire recommends caution, and a total cost of operation metric. Of course, measures to avoid leaking sensitive data into logs should also be strengthened.

Physical Security

Drones used for security escorts (with or without AI pilots) must still have distinguishing features to differentiate them from visiting drones used for remote assessment.

Vulnerability Management

Entities using Turing-complete blockchains are reminded that Requirement 2 (System Hardening) applies to these platforms. Additionally, applications implemented on these platforms must adhere to Requirement 6 secure code development mandates. A newer option could be the use of quantum computing techniques to simultaneously assess all code execution paths. This might qualify as an application vulnerability assessment (as per Requirement 6.6).

For organizations using Turing-complete blockchains, Coalfire offers a reminder that exempting them from anti-malware scanning will require a risk assessment (per Requirement 5.1.2).

Governance, Risk and Compliance

Perhaps the biggest technology challenge has been finding the right applications for artificial intelligence (AI). Areas that were previously the sole province of humans are now being performed by software built with models of expertise and trained with large corpuses of data. While topics such as intrusion and malware detection are commonplace, other areas require more careful consideration before rolling out universally.

A recent client provided a risk assessment done by a new AI system. While the overall value of the report was high, the omission of risks from artificial intelligence did stand out. Coalfire recommends treating this as a form of insider threat. Similarly, background checks performed by AI must be verified, so that an AI may not perform the check on its author.

It's worth noting that while AI agents can increase efficiency in certain jobs, they are still subject to PCI compliance. One non-intuitive example is annual security awareness training. This is an area that is still developing. Coalfire has seen several approaches, from hardcoding acknowledgements into the AI, training AI on known-compliant datasets, and use of general learning techniques. Coalfire believes the SSC will offer guidance in the near future.

In the vendor management area, where AI agents are sourced from vendors and used for in-scope processes, those AIs must undergo a background check. The complexity of this check should not be underestimated. Coalfire can envision clients choosing to evaluate the vendor AI using their own AI, but recommends not going further in that progression.

April Fools! We hope you've enjoyed this speculative look at the future of PCI assessments. While some ideas are purely fantasy, others have direct reference to current technology trends. Coalfire tracks developing technology and regularly encounters innovative uses in client environments. We’re here all year to help you sort out head-scratching PCI DSS issues.

Dan Stocker


Dan Stocker — Practice Director, Payments, Cloud & Tech

Recent Posts

Post Topics



Accounting Agency AICPA Assessment assessments ASV audit AWS AWS Certified Cloud Practitioner AWS Certs AWS Summit bitcoin Black Hat Black Hat 2017 blockchain Blueborne Breach BSides BSidesLV Burp BYOD California Consumer Privacy Act careers CCPA Chertoff CISO cloud CMMC CoalfireOne Compliance Covid-19 credit cards C-Store Culture Cyber cyber attacks Cyber Engineering cyber incident Cyber Risk cyber threats cyberchrime cyberinsurance cybersecurity danger Dangers Data DDoS DevOps DevSecOps DFARS DFARS 7012 diacap diarmf Digital Forensics DoD DRG DSS e-banking Education encryption engineering ePHI Equifax Europe EU-US Privacy Shield federal FedRAMP financial services FISMA Foglight forensics Gartner Report GDPR Google Cloud NEXT '18 government GRC hack hacker hacking Halloween Health Healthcare heartbleed Higher Education HIMSS HIPAA HITECH HITRUST HITRUST CSF Horror Incident Response interview IoT ISO IT JAB JSON keylogging Kubernetes Vulnerability labs LAN law firms leadership legal legislation merchant mobile NESA News NH-ISAC NIST NIST 800-171 NIST SP 800-171 NotPetya NRF NYCCR O365 OCR of P2PE PA DSS PA-DSS password passwords Payments PCI PCI DSS penetration Penetration Testing pentesting Petya/NotPetya PHI Phishing Phising policy POODLE PowerShell Presidential Executive Order Privacy program Ransomware Retail Risk RSA RSA 2019 Safe Harbor Scanning Scans scary security security. SOC SOC 2 social social engineering Spectre Splunk Spooky Spraying Attack SSAE State Stories Story test Testing theft Virtualization Visa vulnerability Vulnerability management web Wifi women XSS