Tags ArchivesSeven Deadly Sins of a QSA

Seven Deadly Sins of a QSA (Part 9) standard

Sin #3 – Drunk with Power QSAs are often in a position of perceived power.  They sometimes exhibit authoritarian behavior, often times enabled by the very people they are assessing. QSAs are just people. You are hiring them to evaluate your performance against a detailed set of requirements. They are not peace officers, and they are most definitely not auditors ((Although some may be CPAs.)). Smart companies will use this knowledge to their advantage and work the psychology of the situation. The Psychology of the Situation The QSA is acting in a position of authority based on his role in the assessment process, passing the QSA training class, and his education and experience. Individuals inside companies being assessed rarely know or ...

Continue Reading

Seven Deadly Sins of a QSA (Part 8) standard

The Role of the Acquirer Ultimately it is the Acquiring institution that must approve the compensating control. If you are like most companies, you most likely are dealing with more than one Acquiring institution, so remember, any control you propose should be approved by ALL of them before proceeding. Imagine the difficulty of getting your Visa/MasterCard acquirer to agree with American Express, and then Discover! It’s hard enough to get one institution to agree, but three? Consider this before you bet the farm on a flimsy compensating control that doesn’t solve the underlying problem. How to Avoid Compensating Control Chaos There is really only one way to avoid getting into a tug-of-war on compensating controls—don’t use them. Unfortunately, for most ...

Continue Reading

Seven Deadly Sins of a QSA (Part 7) standard

The Liberal Assessee If you are tasked with helping a company comply with PCI DSS without all the resources you need to do the job appropriately, you may end up taking a more liberal interpretation of the standard as a shortcut to compliance. Let me be frank: the only shortcut to compliance is to completely outsource your payment processing environment to someone else. It will cost you more money to process transactions which might be what you should spend on PCI Compliance anyway ((For more hot sports opinions on how we ended up in this situation, read this blog post.)). Assessees become stage actors at this point in the conversation. I’ve seen some fairly silly controls argued with Oscar worthy ...

Continue Reading

Seven Deadly Sins of a QSA (Part 6) standard

Sin #2 – Compensating Control Chaos Compensating controls are a challenging and somewhat confusing nuance to PCI DSS. In Chapter 12 of PCI Compliance: Understand and Implement Effective PCI Compliance I delve into this perceived “Get out of jail free” card. Many companies have found this a useful guide for creating compensating controls during their PCI DSS journey ((This chapter is freely available at our book’s website,http://www.pcicompliancebook.info/.)). Compensating controls are designed to allow companies to meet the controls laid out in PCI DSS in alternate ways. For example, a company that cannot put Secure SHell (SSH) on all of their routers and switches due to technical constraints may be able to do something different that would meet requirements for a ...

Continue Reading

Seven Deadly Sins of a QSA (Part 5) standard

How to Avoid a Made Up Requirement The only way to avoid a made up requirement is to ensure that there is material in the PCI DSS that supports a recommendation before a it’s made. There are two main areas where you can find information on how to handle strange situations—PCI DSS itself as well as the FAQ that can be found on the PCI Security Standards Council’s website. The “Navigating PCI DSS” series is also useful, but supplementary and cannot be assessed against. Any guidance taken from documents other than the PCI DSS should be written up as a compensating control where appropriate. Additional documentation such as Special Interest Group (SIG) whitepapers, do not indicate changes in the standard ...

Continue Reading

Seven Deadly Sins of a QSA (Part 4) standard

Being a Security Professional Being a security professional can be a curse when logically thinking your way through compliance initiatives. No compliance initiative should be a substitute for a sound information security program, but we as security professionals often get caught in the compliance trap. We’ve been beating the security drum for years, yet our musical stylings have gone unappreciated. Enter a compliance initiative and all of the sudden someone is forcing the business to do what we’ve been telling them to do all along! We tend to take advantage of this new security spending windfall and add all kinds of stuff to purchase orders in the name of compliance. QSAs are guilty of this as well. Often times a ...

Continue Reading

Seven Deadly Sins of a QSA (Part 3) standard

Mis-hearing the Trainer QSAs must be pass evaluation from the Council every year in addition to earning at least forty CPEs in order to maintain their QSA designation. Prior to 2010, this meant finding a QSA Requal class near you and having your primary contact book your attendance in said class ((You can now do your requalification online.)). Trainers come and go as we have seen over the years, and I sat through a session with a good number of my team lead by a new trainer a few years ago. One of the most important steps a QSA must get right is choosing the correct scope for the assessment. Getting that step wrong sets the whole assessment and the PCI ...

Continue Reading

Seven Deadly Sins of a QSA (Part 2) standard

Sin#1 – Making Up Requirements One of the most common mistakes QSAs make is to simply make a requirement out of nothing. Don’t fool yourself into thinking PCI Assessing is simply black and white judgement calls, PCI DSS is complex. In fact, as a security professional, it’s easy to take any good security practice from your brain and tell someone trying to comply with PCI DSS that it needs to be done.  For example, changing passwords on a somewhat regular basis is a practice that we all hate doing, but force our users to do anyway. Even without looking at PCI DSS—a standard that has the word “security” in its name—a QSA could tell someone to set up some kind ...

Continue Reading

Seven Deadly Sins of a QSA (Part 1) standard

Those of you that attended HoustonSecCon or #BSidesDFW, you saw my presentation entitled “The Mistakes QSAs Make.” After presenting, I thought the overall message needed to get to a wider audience and not just the slides I present. I set upon this endeavor and came up with the following series entitled, the Seven Deadly Sins of a QSA. I’m going to be posting this over the next couple of months (and a single PDF in its entirety when I finish) for you guys out in the tubes. Here is a brief intro to get things going! People make mistakes—and in a people business like consulting, you can expect to see more than a few of them. This series explores seven ...

Continue Reading

This is a unique website which will require a more modern browser to work!

Please upgrade today!