Monthly ArchivesFebruary 2011

Seven Deadly Sins of a QSA (Part 10) standard

How to Deal with a Power-Drunk QSA Above all, remember that he’s just a guy. He’s trying to do his job, just like you are trying to do yours. If you allow the situation to heat up, everyone will suffer. Play the game, work with the guy a little bit. Listen to what he has to say. Ask for suggestions on how you might meet the requirement in his eyes1. Overall, he’s probably not a bad guy. Maybe he’s having a bad day and taking it out on you in an unprofessional manner, but that’s a bump in the road that can be overlooked. The first step is to remember the “No Asshole Rule.”2 Your negative behavior will be amplified and mirrored ...

Continue Reading

Seven Deadly Sins of a QSA (Part 9) standard

Sin #3 – Drunk with Power QSAs are often in a position of perceived power.  They sometimes exhibit authoritarian behavior, often times enabled by the very people they are assessing. QSAs are just people. You are hiring them to evaluate your performance against a detailed set of requirements. They are not peace officers, and they are most definitely not auditors1. Smart companies will use this knowledge to their advantage and work the psychology of the situation. The Psychology of the Situation The QSA is acting in a position of authority based on his role in the assessment process, passing the QSA training class, and his education and experience. Individuals inside companies being assessed rarely know or remember how the world operates ...

Continue Reading

Seven Deadly Sins of a QSA (Part 8) standard

The Role of the Acquirer Ultimately it is the Acquiring institution that must approve the compensating control. If you are like most companies, you most likely are dealing with more than one Acquiring institution, so remember, any control you propose should be approved by ALL of them before proceeding. Imagine the difficulty of getting your Visa/MasterCard acquirer to agree with American Express, and then Discover! It’s hard enough to get one institution to agree, but three? Consider this before you bet the farm on a flimsy compensating control that doesn’t solve the underlying problem. How to Avoid Compensating Control Chaos There is really only one way to avoid getting into a tug-of-war on compensating controls—don’t use them. Unfortunately, for most ...

Continue Reading

January 2011 Roundup standard

What was popular in January? This month (and through February) I am posting my new piece, The Seven Deadly Sins of a QSA. The first draft was very long, but the final piece is around 6,700 words (and too hot for TV). I hope you guys enjoy this! Here are the five most popular posts from last month: Seven Deadly Sins of a QSA Series. This took the first and third through fifth slots this month. Stay tuned as I keep posting this series! At the end, I will have a PDF version for download with all of the content included. PCI DSS 2.0 Release and Review. For the FOURTH month in a row, this post appeared in the top ...

Continue Reading

Seven Deadly Sins of a QSA (Part 7) standard

The Liberal Assessee If you are tasked with helping a company comply with PCI DSS without all the resources you need to do the job appropriately, you may end up taking a more liberal interpretation of the standard as a shortcut to compliance. Let me be frank: the only shortcut to compliance is to completely outsource your payment processing environment to someone else. It will cost you more money to process transactions which might be what you should spend on PCI Compliance anyway1. Assessees become stage actors at this point in the conversation. I’ve seen some fairly silly controls argued with Oscar worthy passion. One particular example was a customer of mine that tried to convince me that the basic ...

Continue Reading

This is a unique website which will require a more modern browser to work!

Please upgrade today!