In an unpublished (and scrapped to my knowledge) Top 10 Security Predictions for 2008, I predicted that we would see a breach in 2008 from an entity that had validated compliance (hey, come on…. It’s true, I promise). Does that mean that the standard is not tough enough? Or that companies validating compliance are having a hard time maintaining it? Or possibly that a QSA is not doing their job properly?

The first has been discussed at length in the industry. While there are loud detractors to the standard, insiders agree that compliance does not equal security. Compliance is a baseline and security should be layered on top. The PCI standard as it stands is GOOD. Getting companies to comply and build additional security on top is the challenge. If I had a hundred dollars for every time I heard the phrase, ‘What is the bare minimum I must do to comply,’ this blog would not exist.

Unfortunately, with something as divisive as PCI, you will have people complaining about how hard it is, and then folks saying it’s not hard enough. Rock? Meet hard place.

For the second, VeriSign answered struggling (shout-out to the P1) entities cries for help and instituted a service called PCI Program Management. This longer process sets up a program to support and maintain PCI. If you have an existing security program, we work within the guidelines of that program, and hopefully help improve it overall. Our goal is to get companies set up to maintain compliance on their own, as opposed to being afraid that one of the thousands of change control documents is overlooked and pushes them out of compliance.

That last one is a big ouch, but if you have been dealing with PCI for some time it makes perfect sense. How can it be possible to get a small PCI Assessment quote for 15K from one vendor and a 40K quote from another? We must not be comparing apples-to-apples. Do you notice that some QSAs are easier than others? How much management confidence do you have in the findings from the assessment? 15K or 40K?

The great QSA equalizer of 2008 was supposed to be the PCI Q/A Program that the council is instituting this year, not a breach of a validated entity (remember, validated is not the same thing as compliant). Time will tell as details come out how this will affect the industry, but I am betting it will force entities to look more closely at the QSA’s work product.

Merchants & Service Providers alike can alleviate something like this happening by first checking the history of the QSA and lobbing a couple of hardball questions prior to starting the engagement. This can tell you how effective the assessment is. Is the majority done remotely? Do they recommend achievable controls? Are they missing things that you know are not compliant?

But most importantly, entities subject to PCI can avoid this by building a solid program to maintain their PCI compliance day-in and day-out. Don’t aim for the minimum, aim for security without impacting the business. VeriSign believes in this mantra and ensures that its importance is conveyed to our customers.

This post originally appeared on

Possibly Related Posts: