After the year we had in 2007 with PCI related breaches, who would have thought that 2008 would give us more? I mean, after last year, who would have thought that we would see another major breach given the “lessons” we learned?

Um, I did. Fo-sho.

Why? Because early in my career I learned that most executives don’t care about problems until they hit close to home. Like right under their nose.

We’ve seen two instances this year of companies that had validated compliance with a QSA, but were subsequently breached. Without specifically commenting on either of these cases, we have never conducted an investigation of a compromised entity and learned that they were compliant at the time of the breach. I’ve written about the quality of QSAs and the corporate responsibility, but as Will Smith so eloquently explained, parents just don’t understand.

Many retailers are struggling right now. Guess what one of the first programs to get cut will be? YEP! The one that will prevent that breach from actually occuring.

One common theme I am seeing in many of my large retail customers is they seem to think that they will be able to transfer the liability of a breach to their QSA. I worry when I am sitting with a manager of the PCI program and he or she asks what is “passable” or something we can “cobble together for the QSA” knowing that it won’t last past the QSA’s flight out.

Don’t laugh, this has happened multiple times this year. Or if you want to laugh, just giggle silently to yourself while making sure this won’t happen to you.

If you are wondering what kind of liability a QSA carries, you can read the publicly available Validation Requirements for Qualified Security Assessors (QSA) v. 1.1. If you are at work and don’t want to slip into a post-lunch coma by wading through this, here’s the gist of it.

QSAs are liable for improperly performing the assessment, and willfully passing someone that should not be passed. We have to assemble a considerable amount of documentation when doing these assessments to justify our position. If there is ever a review, we have to show how we arrived at our conclusion. If we are unable to, there is where the liability can come into play.

If a merchant hides things and get’s lucky because sampling did not find issues known by the merchant, the QSA may or may not have liability here. It depends on the circumstances, and more importantly, the lawyers. None of these clauses have been tested yet (to my knowledge) in a court, but that will change based on the events of 2008.

Regardless, as a merchant, you should not want to ever GET there. Brand damage aside (which I will argue may not be relevant in many cases), the fines that must be paid pale in comparison to the fees you will pay to lawyers and vendors to hastily assemble a compliant and secure solution.

Merchants must own and be responsible for compliance every day of the year. This means actually being compliant, expanding on compliance to become secure, and finally having a program in place to monitor and maintain that compliance 24×7.

This post originally appeared on

Possibly Related Posts: