Blogger: Randall Gamby
On Monday, November 17th the Payment Card Industry Security Standards Council (PCI SSC) put out a press release announcing the creation of a quality assurance program for the assessment community, https://www.pcisecuritystandards.org/pdfs/pr_081117_qa_program.pdf. It is being implemented in order to, “…promote consistent interpretation of the PCI standards and ensure quality is maintained among all vendors.” Through the program, the Council and assessor community is committing to:
• Uphold the best interest of the assessor client;
• Adhere to validation requirements among the assessor company;
• Adhere to validation requirements among the assessor employee;
• Maintain consistent assessor procedures and reporting;
• Interpret the PCI standards appropriately as applicable to the client’s systems & environment;
• Remain current with industry trends and PCI SSC updates in the assessor community;
• Report all opinions as factual, documented and defendable, and;
• Maintain a positive relationship between the assessor and PCI SSC.
I should say up front that I stand up and applaud this decision.
But a lot of people have been asking, “Didn’t we have this already?”
The sad reality is actually we didn’t. There have been unofficial rumors going around the PCI world that Qualified Security Assessors (QSAs), the organizations responsible for doing attestations for the PCI SSC, are providing inconsistent interpretations of attestation requirements; QSAs, who are H/W or S/W vendors, requiring the use of their products to meet PCI compliance; QSAs recommending costly solutions to address deficiencies only to later find out there were lower cost alternatives; and QSAs having different requirements for compliance based on the merchant’s vertical market.
It’s been hard enough for many merchants to modify the way they handle credit card transactions to meet the PCI DSS. But many have found it even harder to consistently find a QSA who can attest to their compliance. At Burton Group we get a lot of questions around the differences in how QSAs look at compliance and how to select a QSA. So in September I felt compelled to publish a podcast on these topics, http://podcast.burtongroup.com/ip//2008/09/selecting-a-pay.html.
Think about it, as a PCI architect goes to their management team in this downturn economy and asks for funding; when management asks, “If we give you the funding for your request will this will make us PCI compliant?” And you know they will. The architect has to honestly respond, “Well, yes, assuming we can find a compatible QSA that will sign off on our architecture.” Not a strong message to send to management while their “high risk” alarms begin to go off in their heads. Compliance should be based on whether your actions and architecture actually “meet” the requirements of the standard, not whether the QSA “feels” you meet them.
So as I said at the beginning, I applaud the PCI SSC’s decision to put a quality assurance program in place but until the program is in full effect (it will be rolled out in a four-stage process throughout 2009), merchants will still have to carefully select their QSA if they want to maximize their chance of achieving compliance.