The following is a guest post by Frank Castaneira. Frank is a Sr. Consulting Manager inside the Global Security Consulting practice at VeriSign.

Matt Hines recently wrote about the PCI Council discussions on applicability and adequacy of the PCI Standard given reported breaches of validated entities such as Hannaford and Heartland. Branden recently discussed the PCI Council conversation on March 6. Branden suggested greater visibility by the Council into the incident response process. This posting amplifies on that solution and provides other perspectives.

The discussions mentioned in Mr. Hines article focused on the QSA (Qualified Security Assessor) posture that an annual on-site assessment is relevant only for that point in time. Although, I recognize the issue (point in time), my experience tells me that the real case in these breaches is that the entity really wasn’t “compliant”. Yes, a QSA attested to that compliance, but I bet the breach exploited a vulnerability (or multiple vulnerabilities) covered by the standard, and should have been caught by the QSA.

Of course, one cannot exclude the following scenario as possible:

Administrator (insider) is seduced by someone with connections to overseas organized crime. During the encounter, Administrator removes the private key-encrypting-key from a company safe. Encryption scheme is then exploited and the ill-gotten data is sold or transferred to a crime ring.

The previous example is purely fictional and designed to illustrate a point. The PCI standard is not perfect, nor will it prevent all forms of cardholder fraud. It is; however, a solid security baseline when validated through the eyes of a good assessor with a competent and quality-minded program behind him. Adherence to all the requirements will significantly lessen your risk-footprint, and practically eliminate the statistic of breached compliant entities. Note that organized crime feasts on the easiest kill, and compliance with the DSS builds a fence that is unattractive in comparison with other targets in the wild.

If the source of recent compromises becomes part of public record, my wager is that obvious errors and omissions by the QSA will be revealed. Although, all QSAs are required to take annual training and must pass a certification test, only very few create robust assessor programs that include peer reviews, significant onsite interviews, and data collection, and collaborative forums to discuss grey areas.

It is also important to acknowledge the client’s quandary as they followed the rules. Level 1 Merchants and all Service Providers must use an approved assessor from the QSA list. Aren’t all assessors the same; at least in PCI Council’s eyes? If client picks an assessor from the list using any of the following criteria such as existing relationships, geographic proximity, or best price, then what could be the downside?

So enough of my competitive pandering; here is what I propose as a potential solution to improving the reputation and significance of the DSS.

Access to Investigations
As identified by Branden, the PCI Council is not currently an active participant of the breach investigative process. The Brands, sponsor bank, compromised entity, law enforcement, and of course, the assessor (Qualified Incident Response Assessor) are the only parties typically involved. The final incident report must include a section on PCI compliance status. This is more than just a checkbox on whether someone previously attested to their compliance, but a rather cursory review by the QIRA of all twelve DSS requirements (mini on-site assessment). This section is particularly important to the Council in determining whether the original assessment was properly performed. However, the content of the report is not typically shared with the Council.

The Brands do have visibility and influence into the PCI Council, but the Council deserves an earlier warning of new threats that may influence the DSS, and immediate feedback on sub-standard assessments that may have prevented the fraud in the first place.

The Council already shares NDAs with the Brands, and as the QSA licensing body may leverage its authority to place one under remediation (same as with its QA program). If the errors on the assessment contributed to the actual compromise and it was more than a lapse in point in time, then the Council should enforce its charter and discipline the QSA as necessary. This may weed the field of uncommitted QSAs, but will definitely heighten the thoroughness of those who decide to offer their clients the expert risk protection they were sold. This will allow a footnote or parenthetical on any new statistic involving compliant breaches (attested by a QSA in remediation).

This post originally appeared on

Possibly Related Posts: