I love our industry! There is no shortage of truly talented and smart folks, and one of the best parts of being in this industry is getting to have conversations with these folks often. Ben Tomhave (@falconsview), a noted security pro and blogger, kicked off a fury of tweets that really went into two directions. First was for a common myth about PCI DSS validation which I will address here (and ensure it is much clearer in the next edition of the book). “Can merchants (including Level 1) self assess?” lead us to a conversation about the functions of audit, the industry in general, and corporate responsibility. We’ll get into THAT discussion next week.

The discussion on Twitter began with this tweet:

[blackbirdpie url=”http://twitter.com/falconsview/status/156800098406383618″]

Here’s a basic summary of the conversation (fyi, the tweets are all public if you want to go back and look—some were edited to help the conversation flow in this format):

Me: That is correct. Merchants have always been able to self certify. Service providers cannot. (brand rules)

Ben: what do you mean “always”? where is that written? thought it was mandatory for L1/L2 merchants to have a QSA?

Me: It’s written in the payment brand level definitions and required validation procedures. MC now requires ISA/QSA for L2.

Ben: if that’s true, then I don’t understand how we need so many QSAs…? why would anybody opt 2 pay more when cutting corners?

Me: Because merchants incorrectly believe that hiring a QSA accounts for a liability transfer. Plus, with corp accountability, an officer’s signature on the Attestation of Compliance is usually required.

Ben: regardless, it seems to me that there is good financial motive to foster confusion around whether or not QSA is a req. 🙂

Me: I argue that anyone who says it’s required probably isn’t intelligent enough to do it right anyway 🙂 #proposalintrashcan

Ben: Wow, that’s quite a statement. I would argue that people listen to their auditors+consultants+QSAs a little too much. 😉

Me: I’m right there with you. That’s why those folks should become ISAs so they can call bullshit instead of driving off a cliff.

This is the first part of the discussion which I really enjoyed because not only did we discuss some of the false perceptions around PCI DSS (like using a QSA is a requirement), we also got to rehash some roles and responsibilities. We cover this in the book and I reviewed it in this post. Here’s a summary:

  • Bad-Boys, by davidsonscott15

    The PCI Council (Intent): Only answers questions about the intent of PCI DSS. Don’t ask about fines, complain merchant levels or the requirement to use a QSA or ISA, or ask if Bit9 will comply with Requirement 5.

  • Payment Brand (Enforcement): Only answers questions about their specific compliance program. Visa’s CISP, MasterCard’s SDP, American Express’s DSOP, Discover’s DISC, and JCB’s DSP all refer to PCI DSS as the common set of controls, but all have different requirements to comply. You should ask them about fines or when to submit an SAQ. Don’t ask them about the intent of a PCI requirement (though they will likely answer to assist you) or if RSA’s SecurID is the only thing that will satisfy Requirement 8.2. While they may try to assist, I typically see (with one exception) payment brands avoid those discussions, especially when their competitors are present.
  • Acquirer (Enforcement): Most compliance questions are better suited for your acquirer because they are responsible for your actions on the payment network. Acquirers don’t have all the answers, and you should not ask them if EV-SSL will comply with Requirement 4.1 (hint… it will) or the intent behind a particular requirement. Again, they may try to point you in the right direction, but Payment Brands are responsible for enforcement of PCI, and they enforce it on your Acquirer who then enforces it on you.
  • QSA/ISA (Interpretation): Your QSA (or ISA) is an important step in the PCI DSS process. If you don’t like her, the process is going to be a pain. Alternatively, if she works well with your company, things will work out much better for everyone in the end. It’s your QSAs job to weigh all the guidance from the Council and apply it to your individual environment to determine it’s compliance with PCI DSS. Ask her questions about specific technologies and their compliance in your environment. Don’t forget to tell her EVERYTHING about the solution. Context is a real issue with these types of questions.

The Council is viewed as the place where the buck stops simply because they are the focal point of everything that has popped up around this industry. To make matters more complicated, members of the Council work for the payment brands! I’ve had numerous discussions with various members whereby a question posed by me is only answered after I specify if they should answer with their Council hat on, or their day-job hat?

So, to review the myth busting, all merchants have the option to self assess, QSAs may get things wrong from time to time, and becoming an Internal Security Assessor (ISA)—regardless of your plans to self assess—is hugely beneficial to your company.

This post originally appeared on BrandenWilliams.com.