ZenGRC

Simply Powerful GRC

Risk Management

PCI Rules for Handling CVV Data

· ·

We’ve talked quite a bit about PCI DSS and PCI compliance recently. Today we want to talk about some of the requirements for storing particular types of PCI card data—namely, CVV.

When many people think of cardholder data, the first thing that comes to mind is the card number on the front of the payment card. There is, however, other information on the card, known as sensitive authentication data. We’ll explain that in detail in the following sections.

If your e-commerce company handles or stores cardholder data, it’s important to make sure you achieve and maintain PCI DSS (Payment Card Industry Data Security Standard) compliance. Not doing so can lead to expensive fines for your business or suspension from payment card processing.

In this post, we’ll explore the CVV code, the rules for storing it, how that code relates to PCI data, and the role it plays in PCI compliance.

PCI Compliance CVV Guidance

What is CVV? 

CVV stands for “card verification value,” and all major brands of credit or debit cards (Visa, American Express, Mastercard, or Discover) include some form of CVV on every card.

The CVV number (also known as CVV2, CVC2, CAV2, and CID) is a three- or four-digit code on the front or back of the card. Merchants and service providers use it to verify that you have the physical card during a credit card transaction, and thus to reduce the chance of fraud.

Is CVV Considered PCI Data? 

In short, yes.

The PCI SSC (Payment Card Industry Security Standards Council) was formed by the major credit card companies to manage the evolution of the PCI DSS (Payment Card Industry Data Security Standard).

According to the PCI DSS, payment card data includes the full primary account number (PAN), the cardholder’s full name, the credit card service code, and the expiration date. It also includes sensitive authentication data in the magnetic stripe on the back of the card, plus any CAV2, CVC2, CVV2, CID, PINs, and PIN blocks.

What are the PCI compliance rules for CVV storage?

We can take the following straight from the PCI standard itself:
“(3.2.2.) Do not store the card verification code or value (three-digit or four-digit number printed on the front or back of a payment card used to verify card-not-present transactions) after payment processing authorization is complete.”
Put simply, once a merchant uses the CVV to verify card ownership at the point of sale, that CVV data should not be retained. 

How can I make sure I’m PCI-compliant regarding CVV storage?

Secure payment applications and payment processors that meet PCI DSS requirements will minimize the potential for security breaches and reduce the chance for compromise of PAN, full track data, card verification codes and values, PINs, and PIN blocks, along with the damaging fraud resulting from these breaches.

If you need help ensuring PCI compliance, ZenGRC can help. Our tool helps you track and manage your risks, identify where you are compliant with PCI DSS, where you fall short, and how to fill gaps. And its “single source of truth” repository keeps all your documentation in one place for easy retrieval at audit time.

Worry-free PCI DSS compliance is the Zen way. Contact us today for your free consultation.

Tips for Vulnerability Management Reporting

· ·

A vulnerability management program is crucial when analyzing an organization’s security posture and devising a plan to remediate any flaws within its cybersecurity.

ISO certification, and in particular the ISO 27001 standard, is one component of vulnerability management and risk management—and a big one, at that. This certification can assure that customers and employees feel comfortable with the business handling their sensitive data, such as payment card information. To obtain the certification, an ISO checklist must be created.

The other piece of vulnerability management is a vulnerability assessment. To understand which parts of the organization’s security are weak, a vulnerability scan must be performed, and then a report must be written. Unlike penetration testing, vulnerability assessments can be automated, easing some of the burden for your security team.

What is a vulnerability assessment report?

A vulnerability assessment report documents the findings of the assessment. It also contains recommendations to remediate whatever security vulnerabilities the assessment found. Attention to detail is critical here, to ensure organizations know exactly what weaknesses exist and how to patch them. 

This applies even to wording in the report; the language must be understandable not just to those familiar with the IT world, but also to any senior executives within the company. 

What are the metrics for vulnerability management reporting?

In theory, it’s possible to assess every single aspect of the company’s IT systems. In practice, that approach can cause high-risk threats to become lost among heaps of other information—so selecting the right metrics to include in a report is crucial. Paying attention to evolving threats will assure that the system stays step ahead of security vulnerabilities, and will instill faith in stakeholders by generating a clear, concise report of what truly matters. 

So what issues should a vulnerability management report measure, to assure your application security is satisfactory?

Inventory Scanning

  • How many assets are known, in comparison to how many are scanned?
  • How often are assets scanned, and by what grouping?

Time to Detect

  • How long does it take for vulnerabilities to be detected across the system? 

Patching & Remediation

  • How many vulnerabilities were found, versus the number of vulnerabilities patched?
  • How long was the vulnerability known before patching occurred?
  • How often was the same vulnerability reopened? (This gets at whether the patching is process flawed.)

Prioritizing

  • Which security vulnerabilities are most critical?
  • How many critical vulnerabilities are open?

What should a vulnerability assessment report contain?

A robust vulnerability assessment report should contain the following three elements: executive summary; assessment overview; and results & mitigation recommendations.

Executive Summary

This section reviews the vulnerability scan’s results. It gives readers a look into how well or poorly a system performed. It can then classify the organization as having a low, medium, high, or critical risk level. 

As the title suggests, this is simply a summary. Too many details will overwhelm the reader, so graphs are used to depict how many vulnerabilities exist within the system and how critical they are. 

In short, this section offers a big picture view of issues, especially for senior executives who may not be well-versed in security.

Assessment Overview

This section should clearly and concisely state the validation, investigation, and deliverables given by the vulnerability assessment. The open source, commercial, and custom tools used by the scan should be included. 

The reader should be able to leave this portion of the report with enough information that, if warranted, he or she could investigate further. 

Results and Mitigation Recommendations

This section lists and describes each security vulnerability, including (ideally): 

  • Name of the vulnerability 
  • Date of discovery
  • Vulnerability score
  • Detailed description
  • Process to detect the vulnerability
  • Proof of concept of the vulnerability
  • Guidance for remediation
  • Prioritization of vulnerability (This is where CVSS is helpful.)

This portion of the report is crucial, which means attention to detail is paramount. 

Conclusion

A comprehensive vulnerability management program is essential to keep your organization (and all the information it contains) safe from data breaches, hackers, and whatever else might harm your assets. A detailed and solid report is a great stepping stone to assure your cybersecurity is effective.

Use These Six Agile Principles To Manage IT Risk Right Now

· ·

This article first appeared on Forbes.com Jul 22, 2020, 01:44pm EDT 

During the past four months, the business world has woken up again to the reality of reacting quickly in a fast-changing environment. Some of these shifts in operations are obvious, such as remote work and limited travel for conferences and meetings. Other risks have emerged, though, that are less obvious. IT security concerns, for instance, have increased dramatically and are shifting in unpredictable ways that require us to take on new tactics to prevent data theft, malware and extortion.

In the past, companies commonly reviewed their “registry” of IT risks on an annual basis. Essentially, they checked off the boxes to pass SOC 2 Compliance, which outlines the criteria to manage customer data in five areas: security, availability, processing integrity, confidentiality and privacy. This is where two-factor authentication, encryption, firewalls and quality assurance controls come into play. Companies must pass these requirements and be “SOC 2 Certified” to sell products and services to others.

Today, that’s not enough. The pandemic has accelerated our reliance on work-from-home software and go-to-market digitization efforts, and companies need to shift quickly to address new attacks. The old methods of risk assessment are now as passé as client-server technology from the 1990s, and gone are the days when we can simply plan for next year’s IT risks.

Ken Lynch byline Forbes Magazine
To tackle these rapidly-changing risks, we need to adopt the same agile methods that technology companies have used for more than 20 years. Incorporate these six principles into your IT risk strategy so you’re ready for the new threats to come this year:

1. Track your company’s new opportunities and threats.

I remember the dot-com crisis of 20 years ago. There was an incredible opportunity to digitize everything, but we didn’t know exactly what to build, and following last year’s plan simply didn’t work. The companies that were successful knew how to react to the risks of the day. They didn’t follow a grand plan. They continually assessed risks, acted quickly to manage those risks, and they survived.

Similarly, we’re living in a world of rapid changes. Take a quick inventory of the new strategies you’re adopting — such as work-from-home plans or accelerated online sales — and identify the threats that are associated with them. For instance, you need to understand how data is collected, stored and secured and what role you play in that. Add these to your risk list and ensure that you address them, not ignore them.

2. Review your risks monthly.

We’re seeing an increasing number of attacks online, and the threats that overwhelm us one week are not the same that crop up next week. You need an up-to-date list that accurately corresponds to the new opportunities that you’re pursuing and the new software you’re using. It’s no longer adequate to do this annually, when the pace of adopting digital tools and sales systems was much slower. Instead, I recommend a monthly review, even bi-weekly, if possible.

3. Re-prioritize last month’s efforts.

As you review your risks monthly, it’s just as important to deprioritize issues that are less relevant as it is to add new ones. The threats from last month may no longer be as urgent, which happens often now, so you should reduce efforts in these areas. The latest attack tactics are always changing, and your company can (and should) be dynamic in its response as well. Be ruthless about focus.

4. Pick your top 5 risks.

If you try to tackle all of the potential IT risks out there, you’ll quickly become overwhelmed. Add all of the relevant possibilities to your list, of course, but highlight the top five that will cause the most threat and harm to your business. Then implement the steps that will make progress on those priorities before putting much effort on items down the list. If you try to tackle 50 risks, you won’t get far on any of them, so focus on your top 5.

5. Do weekly check-ins.

Touch base with your top risk owners, even if a quick regular chat through an internal messaging app. That will keep those risks top of mind. Promise that the check-ins will stop once the risk leaves the “top 5” list, which will remind busy colleagues that risk is a top priority. During these regular checks, ask three questions: “What progress has been made the prior week? What actionable steps will be accomplished this week? Are there any blocks or barriers that need support?” This simple and vital communication will create significantly more progress than if you wait for a report just before the next board of directors meeting. Don’t wait, or it’ll be too late.

6. Repeat.

This final agile principle seems obvious, but it’s often the most difficult step to turn into a habit. When companies face an IT issue that compromises data or affects sales, they’ll double-down on risk management in the short-term, but it often devolves into complacency again in the long-term. These new threats aren’t going away, and in fact, they’ll continue to increase as we ramp up more digital processes through the rest of the year. Create your sustainable plan by making it a core priority and implementing the review process as part of your team’s monthly and weekly tasks.

Ultimately, the responsibility of risk rests on your company’s shoulders, and now is the time to schedule regular checks for new threats. You’re in a great spot to capitalize on the rewards of our renewed acceleration toward an online and digital world, and part of that process includes managing IT risks quickly. If you implement agile principles to address those risks, your company will make better decisions in an uncertain future.

Why Vulnerability Management is Important

· ·

We are all vulnerable, and becoming more so, it seems. Data breaches and system disruptions due to cyberattacks just keep rising, year after year. Finding and strengthening your cybersecurity weak spots, or vulnerabilities, is key to thwarting these attacks.

A Big Problem, and Growing Fast

Cybercrime has proliferated to such an extent that it hardly makes headlines anymore. Data leaks, defined as “the unauthorized transmission of information from inside an organization to an external recipient(s),skyrocketed in 2020 by 492%, reaching 27 billion in the first half alone–an all-time high. Typically, data leaks happen from within.

Atlas VPN reported 2,037 publicly reported data breaches in the first half of 2020. In the same period in 2019, 3,800 publicly reported breaches exposed 4.1 billion records, according to Norton. Clearly, vulnerabilities abound.

Managing Your Weaknesses

The most common cybersecurity vulnerabilities, Kaspersky says, occur in technologies and user behaviors. 

Breaches occur, the security company writes, in the following ways:

  • Accidental insiders who inadvertently leak information to an outside location;
  • Malicious insiders who leak data intentionally;
  • Lost or stolen devices containing unencrypted information;
  • Malicious external criminals such as hackers, who may install malware on your systems.

Vulnerability management can help you avoid data leaks and breaches before they start–but to do it right, you must be vigilant. The process begins with vulnerability assessments and it never stops; as soon as you complete one vulnerability assessment, you must begin another. 

A vulnerability assessment helps you identify, evaluate, classify, remediate, and report on security vulnerabilities in operating systems, enterprise applications, browsers, and end-user applications. 

Mind Your Patches

Every year, organizations discover thousands of new cybersecurity vulnerabilities requiring them to patch their operating systems and applications and reconfigure their network security settings. Too often, though, they lack a robust patch management program and fail to apply these patches in time.

Nearly 60 percent of cybersecurity breaches in 2019 may have been completely avoidable, according to the Ponemon Institute–they resulted from companies’ failure to patch known vulnerabilities using readily available patches. 

Of course, the typical corporate network contains thousands of vulnerabilities. Keeping them all patched is an impossible task–but having a vulnerability management plan can ensure that you’re addressing the highest-risk vulnerabilities.  

Vulnerability management gives you a process and the tools to regularly identify and remediate your most critical and high-risk vulnerabilities. 

Compliance Requires It

Vulnerability scanning and vulnerability management are required to achieve compliance with such regulations and industry standards are the International Organization for Standardization’s ISO 27001, Information Security Management Systems (ISMS). 

One of the most widely used standards in the extensive ISO family, ISO 27001 provides guidance on cybersecurity management, including vulnerability management as well as information security risk assessment and risk management.

What Vulnerability Scanning Does

Vulnerability scanning aims to identify any systems that are subject to known vulnerabilities. But it’s not a one-and-done task. You must schedule scans to occur regularly to detect new weaknesses and threats.

A vulnerability scanner scans a network or system, including operating systems, for known weaknesses. A vulnerability scanner can also uncover such issues as improper file sharing, system misconfigurations, and outdated software. 

You should use vulnerability scanners to conduct vulnerability scans at least once a month, but more frequently as needed for critical or high-risk systems. When you conduct vulnerability scanning, you should do so in a random order to ensure potential threats can’t use your schedules to plan cyberattacks.

More frequent scanning will give you greater clarity on the progress of your remediation efforts and help you identify new security risks based on updated vulnerability information. If you don’t scan for vulnerabilities and proactively address any flaws that you discover, it’s likely that your systems will be compromised.

The data these scans produce can be invaluable for your risk management program if you evaluate scan results and remediate accordingly.

The Vulnerability Management Process

Each new vulnerability introduces a security risk to your company. So, it’s important to put a process in place to identify and address vulnerabilities quickly and continually. 

Typically, there are four stages to a vulnerability management program:

  1. Identification

First, identify all the vulnerabilities that exist throughout your IT environment. To do so, you must define your IT assets and find the right vulnerability scanner for each asset.

The vulnerability scanner you’ll use for your web applications will differ from the scanner used to uncover network vulnerabilities. For application security, you will likely need at least two technologies to detect vulnerabilities in open source libraries and in your proprietary code.

Identification is a critical part of vulnerability management that is becoming increasingly challenging as companies’ IT environments grow more extensive, complex, and interconnected. 

  1. Evaluation

After you’ve identified your system’s vulnerabilities, you must evaluate the risks they pose and determine how to manage them. It’s important to understand the risk ratings that your vulnerability management tool provides, such as the Common Vulnerability Scoring System, which provides a numerical (0-10) representation of the severity of a vulnerability.

However, you will also want to understand other real-world risk factors, such as:

  • How easily can someone exploit a particular vulnerability? Is a published exploit code available?
  • Does the vulnerability directly affect the security of your network?
  • What would be the impact to your business if a bad actor exploited the vulnerability?
  • Do you have any existing security protocols that would decrease the likelihood and the consequence of a malicious actor exploiting the vulnerability?

It’s also important for you to know whether any vulnerabilities that you’ve identified are false positives. There are tools and techniques that enable vulnerability validation, such as penetration testing, that can identify false positives so you can focus on the vulnerabilities that pose the biggest risks to your company.

  1. Remediation

After you’ve identified and evaluated the vulnerabilities, you have to determine how to prioritize and address them.

Your vulnerability management tool will likely recommend which remediation technique you should use for each vulnerability. You should check with your security team, system owners, and system administrators to determine the right strategies.

There are three general ways you can remediate the identified vulnerabilities:

  • Remediation: Preventing exploitation by patching, correcting, or replacing code that contains a vulnerability.
  • Mitigation: Reducing the probability or impact of a vulnerability. This is typically a temporary fix that you can use until you can totally remediate the vulnerability.
  • No action: Acknowledging and accepting the vulnerability. Generally, you should only do this when the cost of remediating the vulnerability is much higher than the effect it would have on your business if it was exploited.

After you’ve finished the remediation process, you should perform another scan to determine if the vulnerability was completely resolved.

  1. Reporting

If you routinely conduct vulnerability assessments, you’ll gain greater insight into the effectiveness, speed, and cost of your vulnerability management program.

Most vulnerability management systems let you export the data from your vulnerability scanners so your security team can better understand the security posture of each asset and track it to identify trends, such as increased vulnerability detection.

Consistent reporting will help your security team comply with your company’s risk management key performance indicators as well as with regulatory requirements.

Continuity is Key

Vulnerability management is hard. You have to perform it continually to ensure that all of your systems and applications are always up-to-date and that you identify each new vulnerability as soon as possible.

You may need to change the mindset of your security teams. The best way is to implement continuous processes that will affect their day-to-day work. Periodic testing and remediation just aren’t enough if you want to ensure that you keep on top of your security status. And the most reliable and effective way to manage vulnerabilities continuously is with automation.

The Importance of Prioritization 

The goal of security teams is to fix all the vulnerabilities detected in your company’s assets. However, it’s just about impossible to achieve that goal. Prioritization, therefore, is the key to a successful implementation of a new vulnerability management program. 

You need to ensure that you set clear guidelines for each asset, i.e., which vulnerabilities should be remediated and which should not. Vulnerability management consultants can help define a risk-based prioritization procedure based on your assets and the market.

Under a strong vulnerability management program, each process is viewed as a continual lifecycle aimed at helping to improve security and reduce organizational risk found in a company’s network. 

Get Help if You Need It

Today’s tools can simplify and automate the process of vulnerability management. ZenGRC works with other tools and technologies to collect and store data on your vulnerabilities and tells you what you need to do to resolve them. It tracks tasks so you always know what’s being done and by whom, shows your compliance (including for ISO certification) and risk management stature on user-friendly dashboards, allows unlimited self-audits in a few clicks, and much more.

Worry-free cybersecurity risk management is the Zen way. Contact us today for your free consultation.

PCI DSS Risk Assessment Guidelines

· ·

The Payment Card Industry Data Security Standard (PCI DSS) is an information security standard for companies that handle credit and debit cards from the major card brands, whether via e-commerce or in in-person transactions, and those that store or process payment card data.

PCI DSS Requirement 12.2 requires that organizations annually perform formal risk assessments to identify threats, vulnerabilities, and risks to the business, particularly risks to debit and credit card data and their environments. This requirement can help you identify, prioritize, and manage your information security risks.

If you don’t want to get hit with a data breach, you’ll need to close security and PCI DSS compliance gaps. A risk assessment can help you figure out which vulnerabilities you should address first.

A risk assessment helps you anticipate threats and the vulnerabilities associated with those threats that can harm your business. A risk assessment also helps you determine how to implement the controls that can ward off those threats or lessen their effects on your company if they do arise.

Conducting a risk assessment at least annually keeps you up to date with changes in your business. It also enables you to consider those changes in light of new threats, new technologies, and emerging trends. These changes might include introducing a new software application to your cardholder data environment or launching new products or services.  A risk assessment should also be performed when there are significant changes to your organization’s environment such as relocation, merger, or acquisition.

There are a number of industry-accepted risk assessment methodologies that you can use to develop your risk assessment process, according to the PCI Data Security Standard. These include OCTAVE, ISO 27005, and NIST SP 800-30.

Assessing Your PCI DSS Risks

Your PCI DSS risk assessment should include:

  • The types of risk that may exist in your systems, applications, or processes
  • Company assets that need protection from these risks
  • Your entity’s level of vulnerability to each risk 
  • The likelihood that each risk will materialize (that a threat will occur)
  • The impact on your organization if a threat should occur
  • How your company can reduce the likelihood of threats and their impact. 

According to the PCI Security Standards Council, these are the steps you should follow when conducting your PCI DSS risk assessment:

  1. Develop a Risk Assessment Team and Methodology. Establish a risk assessment team with people from every department, including those that process, store, and transmit cardholder data. Appoint a team leader who understands the PCI DSS requirements and the risk assessment methodology.

    Adopt a methodology that fits with your company’s culture and the current business climate so you can be sure to meet your risk objectives.
  2. Identify Your Risks.  “Risk” refers to the likelihood that a threat will materialize, often due to a vulnerability. “Risk level” refers to the potential impact that threat will have on your company and your customers.

    For example, a system that employs weak passwords is vulnerable to the threat that a bad actor could compromise user credentials and break into the system. Your company is at risk if you store cardholder data that are not encrypted in your system.

    When threats are likely to take advantage of a vulnerability, therein lies your risk.

The PCI Security Standards Council (PCI SSC) lists four areas of focus in the risk-identification process:

  • Context establishment: Understanding the “the organization’s hierarchy, business processes, cardholder data (CHD) flows, and any associated system components”
  • Asset identification: The “the people, processes, and technologies that are involved in the processing, storage, transmission, and protection of CHD.” This step also involves identifying who is responsible for protecting each critical asset and may include assigning a value to each depending on its importance to the business.
  • Threat identification: Anyone or anything that could cause harm to the organization is a threat. The PCI SSC suggests talking with people throughout the company to compile a comprehensive list. Reviewing past threats can also help pinpoint those most likely to occur in the future.
  • Vulnerability identification: Part of vulnerability management, this step involves pinpointing weaknesses or potential weaknesses that threat actors could exploit, such as payment channels and devices. The PCI SSC recommends using vulnerability assessment reports, penetration-testing reports, and technical security audits such as firewall rule reviews, secure code reviews, and database configuration reviews.
  1. Determine Your Risk Levels. Which risks stand to affect your organization? Prioritizing these risks and their potential impacts is a key part of your risk assessment, ultimately guiding your risk management strategy.

The PCI SSC recommends ranking risks according to:

  • The ability of the “threat agent” to carry out the threat
  • The threat agent’s intent
  • The threat’s relevance to the enterprise
  • The likelihood of its occurring
  • The damage that it could cause to the organization.

Next, assign a risk level to every vulnerability and every threat that’s associated with the vulnerability, i.e., high, medium, or low risk. For additional information on the various risk evaluation methods, i.e., quantitative vs. qualitative, see the PCI Security Standards Council’s  PCI DSS Risk Assessment Guidelines.

4. Mitigate Your Risks. It’s nearly impossible to eliminate all your risks. That’s why it’s important to apply controls to reduce the risks to acceptable levels.

Mitigation often includes taking steps to reduce the likelihood that a risk will occur or lessen the severity of loss if it does happen or both. These steps can include implementing operational or technical controls or making changes to your physical environment. For example, you can mitigate the risk of malware by installing anti-malware software. The level of risk that remains is often referred to as “residual risk.”

Mitigation can take several forms: avoiding the risk, perhaps by discontinuing the activity that has created it; transferring the risk, for instance with insurance; reducing the risk, or accepting the risk, especially if the likelihood of its occurring or its potential impact on your business is low.

Reporting the Results

Each risk assessment should result in a risk assessment report that details the risk you’ve identified, including those affecting the cardholder data environment (CDE). The goal of the report is to clearly state the various risks that concern your company. The report may also explain the actions you took to remediate these risks.

Your PCI risk assessment report should include the following information:

Scope of your risk assessment: Describe your company as well as the internal and external guidelines you considered when you defined the scope of your risk assessment.

For the purpose of PCI DSS requirements, you can also include an overview of your cardholder data environment and the companies that support and process your cardholder data.

Asset inventory: Create a thorough list of assets that are in the scope of the risk assessment, for example, hardware, software, networking, and communications infrastructure, and employees.

Threats: List the threats that can harm your assets. You can also include a description of each threat that you’ve identified to spell out their characteristics.

Vulnerabilities: List the vulnerabilities related to technology and to your organization that can affect your assets.

Risk evaluation: Describe the technique you used to measure the risks you’ve identified so you can prioritize them.

Risk treatment (mitigation): Document the list of actions you’ve taken for each of the risks you’ve identified, along with how you handled those risks.

Version history: You might want to include the date, author, and the approver of the document.

Executive summary: This details your company’s overall risk posture before and after risk mitigation.

Get Help If You Need It

You should perform an annual risk assessment, at least, and another after you make any significant changes in your network. The risk assessment can offer direction on the vulnerabilities you should address first.

Conducting a risk assessment is often a long process, and only the first step toward PCI compliance. Meeting all the PCI requirements can take many months. Using quality governance, risk management, and compliance software can ease these tasks.

ZenGRC can help you track and manage your risks and to know where you are compliant with PCI DSS, where you fall short, and how to fill gaps. And its “single source of truth” repository keeps all your documentation in one place for easy retrieval at audit time.

Worry-free PCI DSS compliance is the Zen way. Contact us today for your free consultation.