Chris Mark over at the PCI Answers blog wrote a fantastic post on The Rise of the Defensive PCI Assessment toward the end of last year.  I read it right after he posted it, and knew that I wanted to add to his thoughts.  It’s taken me about this long to get my thoughts together.

I’ve been busy!

I totally agree with his assessment, and I have run into some situations where this has come up with other QSAs.  Some QSAs have altered their interpretations (or made them more literal, I should say) because they realized that they were interpreting the standard incorrectly, or they priced the assessments so low to get the business that they can’t afford to understand the technology solution to make a more appropriate compliance decision.  It could even be that the resources are junior in nature, and therefore have not seen the particular implementation before.

Fire Drill, by chipmonkey

Some QSAs are also getting the blame for changing their stance on a particular compliance issue when the company being assessed is actually at fault.  A compliant decision in 2008 may not be the same as compliant in 2009 if the control for a particular requirement is not maintained.  Context can be an issue as well, especially when a new assessor (maybe the same company, but a new individual) participates in the assessment1.

Here’s an example.  If someone came up to me and asked the question, “Is telnet allowed in PCI DSS?”  My gut would be to say, “No, not really.”  But what if they said, “I have some legacy devices that can only be administered via telnet.  We have a management network set aside that is segmented from the rest of the network, and administrators need to use 2-factor SecurID authentication through a jump server to hit that network,” I’d say that works.

Back to the topic at hand, the less an assessor needs (or wants) to think about some of the tedious parts of a PCI Assessment (or ANY security assessment for that matter), the less accurate your result will be, and the more likely that you are going to end up answering “Yes/No” questions about your environment.  And the more one word answers you give, the less likely your assessor will get an accurate picture about your environment.  So if you want future folks to have to clean up a mess, get an easy pass.  Otherwise, interview your assessor to ensure they will do a good job BEFORE hiring them, and make sure that your only option is not to go with the cheapest assessor.

Fast, Cheap, Good, pick any two.

This post originally appeared on BrandenWilliams.com.

  1. Check my post on Ask the Council for another reason why context is important. []