Manchester-Justice Building, by Manky Maxblack

Manchester-Justice Building, by Manky Maxblack

Last week was interesting. First Dave Navetta published the court filing for Merrick Bank v. Savvis, originally filed in May of 2008. Dave points out that although the court filing is a year old, news agencies are just now reporting on it.

Chris Mark elaborated on the topic a short time later in The Aegenis Group blog. There are many valid points in Chris’s explanation including the differences from the Cardholder Information Security Protection standard from Visa and the PCI DSS we have today, and how there were no QSAs or training at the point the assessment was going on. I started working on CISP in 2004 and was alarmed at some of the poor quality of work that I experienced early on.

My favorite point, however, is one that I love to poke at lawyers for. The second half of the article goes into an explanation of how QSAs are sued under the reasonableness standard. This one cracks me up.

Cracked-Up Brando says, “Dude, what you think is reasonable and what I think is reasonable may be two different things. Go ahead buddy, throw it in the contract. It’s a meaningless word that I am confident I could maneuver around.” Of course, Cracked-Up Brando sometimes needs to be reeled back in, but I’ve said those very words recently to an attorney.

Of course, the Yin to Cracked-Up Brando’s Yang, Confused Brando says, “Wait, so you mean that now a customer can fight me tooth and nail on every single gap that I find, and then come back to sue me because I didn’t point out OTHER gaps that may not be relevant to PCI?” Chris points out, “even if the CISP (PCI DSS) or any other standard says a QSA does not have to do something, as a security professional, they should, as a reasonable person, conduct themselves in a manner that any reasonable person would.”

Hrm, how about a little more variance among the QSA community?!

Finally, the part that everyone hates to hear but cannot avoid, “This is going to continue to increase the costs of compliance for all companies and will continue to pose challenges for the industry.”

Things are a little different today with QSAs and the PCI Security Standards Council, but not by too much.

Edit: See Martin McKeay’s post that has some good reference articles as well.

This post originally appeared on

Possibly Related Posts: