Here’s a line you have heard many times–“but wait, don’t look at this in black and white. You have to take a risk-based approach.” We hear it all the time as a QSA. Sometimes there is a legitimate reason to take a sane, risk-based approach. In fact, the Council tells QSAs that PCI must be applied using a risk-based approach. That allows for some latitude in some areas, but can create problems in others.

Wait… problems? Why problems?

We don’t have a single, industry-wide risk model to measure risk. This means that each QSA is empowered to use their discretion on how to measure and accept risk, leading to variance in interpretation and opinion shopping by companies hiring a QSA.

Many companies that are subject to PCI Compliance choose to roll the dice on compliance. As a QSA, I have seen some companies neglect certain controls that ended up making the difference in a breach. Things like log management, intrusion detection, and even more basic controls like vulnerability and patch management. The reason for the neglect is usually lack of resources; be it time or money.

Corporate leaders claim to be risk averse and will tell the Street they manage risk religiously. The truth is, most corporate leaders don’t understand how information security plays into the risk equation, therefore they cannot make informed decisions on how to manage risk in that light. In fact, it usually takes something like a breach for corporate leaders to get religion with respect to security.

By then it is too late.

Some QSAs do the exact same thing. If you are a level 1 merchant, and you have two bids for a PCI Assessment at 100K, and two bids at 35K, how are you to choose? Corporate pressures tell you that you need to choose the lowest cost for the service you need. Since there are two bids at the low price, it looks legitimate enough to take the plunge.

So you roll the dice.

Here’s what you may not know. Your QSA may be rolling the dice as well! Multiple breaches have occurred in the last two years from companies that had been validated as compliant by a QSA. Again, without speaking directly to those breaches, there has NEVER been a case we investigated where a company was compliant at the time of a breach (with the exception of something like a smash and grab, but those didn’t make the news).

If your QSA is phoning most of the assessment in and shows up on site for two to three days to do the entire thing, your QSA is rolling the dice in hopes that you (the assessed company) will do enough to avoid a breach. If you ever reflected upon an assessment and thought to yourself, “Wow, that was surprisingly easy,” you might just be the next victim.

My theory on this is as follows: It is probably OK if one of the two parties involved in a PCI Assessment rolls the dice. If a company being assessed does not do a good job of maintaining their compliance, a good QSA review will reveal those gaps. If a merchant is doing all the right things around PCI and has a rock solid security posture, a QSA may dodge a bullet by rolling the dice and doing a half-assed job on the assessment.

Where companies get into trouble is when both the company being assessed, AND the QSA roll the dice at the same time. Depending on the roll, you might be lucky enough to let the risk ride.

In the case of recent breaches, the roll came up Snake Eyes.

This post originally appeared on