This one is link-laden folks.  Enjoy 🙂

SeparatedEggs, by YoAmes

It’s just mere weeks before we’ll see the FOURTH iteration of the PCI DSS, and companies inside the US seem to be getting better at it as we go. PCI continues to be a driving force in information security, and as the standard changes, your business environment will undoubtedly change as well.

Many merchants and service providers mistakenly depend on their QSAs to find all security and PCI compliance issues. Considering the downward market pressure on assessment prices, many security professionals are discussing how QSAs are pressured to get a complete and compliant ROC in the cheapest way possible.  QSA companies are motivated by three main things:

  1. Scope and price the deal in a manner that will win the business,
  2. Make (or beat) the margin, and
  3. Stay off the remediation list.

If you enter into a contract expecting your QSA to find everything, or to be some form of liability transfer, you are misleading yourself into a false sense of security1. QSAs are indirectly trained to create great reports, but in order to gain the efficiency required to compete, much of the ROC is complete before the engagement even starts.  The executive summary and details in each requirement still need to be written, but you can’t do much more for 10-20K.

This is not to say that you should start spending hundreds of thousands of dollars on QSA assessments, but when you consider that many assessments are performed with only one assessor for a short period of time, shouldn’t you ensure that you are not just going through the motions of fooling a hurried QSA?

Let’s assume that your QSA is better than most and is helping you work through security AND compliance issues. Why would you let your QSA design your controls as well as assess against them? Gartner published an opinion in 2007 that the Payment Card Industry has much to learn from the financial auditing industry—in particular the notion that the firm providing validation services should not be the same firm to provide consulting solutions around security and PCI DSS2.

Sure, it’s easier to deal with one firm instead of two, but are you really getting what your management is (at least in spirit) asking for?  It should be validation that you are in fact compliant with PCI DSS to lower the chances of a breach and ensure that if one occurs, you won’t be subject to the same fines as an entity that was found to non-compliant.

That is why you need to use a different firm for consulting around security and PCI than you do for assessment or audit work.  It’s the same generally accepted principal that you would use in other audit scenarios, and it will lead to a better overall result:

You will gain confidence3 that you are both more secure and compliant after spending ridiculous sums of money to meet that end state.

It may not be the easiest way to go, but it certainly makes for a generally better outcome.

This post originally appeared on BrandenWilliams.com.

  1. baZING! []
  2. See the above linked research report for many more details.  It’s written by Avivah Litan and Joe Pescatore. []
  3. Both yours and senior management’s []