Did the PCI Security Standards Council finally admit a problem?
Blogger: Randall Gamby
On Monday, November 17th the Payment Card Industry Security Standards Council (PCI SSC) put out a press release announcing the creation of a quality assurance program for the assessment community, https://www.pcisecuritystandards.org/pdfs/pr_081117_qa_program.pdf. It is being implemented in order to, “…promote consistent interpretation of the PCI standards and ensure quality is maintained among all vendors.” Through the program, the Council and assessor community is committing to:
• Uphold the best interest of the assessor client;
• Adhere to validation requirements among the assessor company;
• Adhere to validation requirements among the assessor employee;
• Maintain consistent assessor procedures and reporting;
• Interpret the PCI standards appropriately as applicable to the client’s systems & environment;
• Remain current with industry trends and PCI SSC updates in the assessor community;
• Report all opinions as factual, documented and defendable, and;
• Maintain a positive relationship between the assessor and PCI SSC.
I should say up front that I stand up and applaud this decision.
But a lot of people have been asking, “Didn’t we have this already?”
The sad reality is actually we didn’t. There have been unofficial rumors going around the PCI world that Qualified Security Assessors (QSAs), the organizations responsible for doing attestations for the PCI SSC, are providing inconsistent interpretations of attestation requirements; QSAs, who are H/W or S/W vendors, requiring the use of their products to meet PCI compliance; QSAs recommending costly solutions to address deficiencies only to later find out there were lower cost alternatives; and QSAs having different requirements for compliance based on the merchant’s vertical market.
It’s been hard enough for many merchants to modify the way they handle credit card transactions to meet the PCI DSS. But many have found it even harder to consistently find a QSA who can attest to their compliance. At Burton Group we get a lot of questions around the differences in how QSAs look at compliance and how to select a QSA. So in September I felt compelled to publish a podcast on these topics, http://podcast.burtongroup.com/ip//2008/09/selecting-a-pay.html.
Think about it, as a PCI architect goes to their management team in this downturn economy and asks for funding; when management asks, “If we give you the funding for your request will this will make us PCI compliant?” And you know they will. The architect has to honestly respond, “Well, yes, assuming we can find a compatible QSA that will sign off on our architecture.” Not a strong message to send to management while their “high risk” alarms begin to go off in their heads. Compliance should be based on whether your actions and architecture actually “meet” the requirements of the standard, not whether the QSA “feels” you meet them.
So as I said at the beginning, I applaud the PCI SSC’s decision to put a quality assurance program in place but until the program is in full effect (it will be rolled out in a four-stage process throughout 2009), merchants will still have to carefully select their QSA if they want to maximize their chance of achieving compliance.
Randall - agreed. Individual interpretations from from QSA to QSA has been a challenge for merchants. It's good to see the Council move in this direction.
Posted by: Bryan Johnson | November 19, 2008 at 11:46 AM
Randall - agreed. Individual interpretations from QSA to QSA has proved challenging for merchants and service providers. This is a welcome change.
Posted by: Bryan Johnson | November 19, 2008 at 11:52 AM
Any 4-party model is complex, this one includes Payment Networks, Payment Card Industry Security Standards Council, QSAs and Retailers. Retailers purchase QSA services engaging in audits of PCI compliance. Some are being influenced to interpret the standards with less rigor for repeat business with the client and others are influenced to place technology when they gain from referral fees or internal technology sales incentives.
One community initiative of 'remaining current with industry trends' is losing ground with this current framework. Until more emphasis is placed on security and meeting the intent of the PCI-DSS requirements emerging technologies will continue to be woefully under utilized. This is a shame since many QSAs feel they cannot approve these technologies because they want to keep under the radar and will even approve a less effective common solution to limit exposure of their report from the potential scrutiny by the payment network board.
If the quality measurements were public about both Retailer satisfaction of their QSA engagements and PCI SSC quality assurance ratings then that would be a healthy change. QSAs could then focus on what's best for securing and protecting the payment card transactional network and allow the market to grow because of the quality of work accomplished and not just because they were able to perform the most amount of audits.
Posted by: Kim Singletary, Solidcore | November 19, 2008 at 03:22 PM