MasterCard Vs. Visa: Dueling Compliance Philosophies
Written by David TaylorColumnist David Taylor is the Founder of the PCI Knowledge Base and former E-Commerce and Security analyst with Gartner.
People don’t seem to “get” MasterCard. For most of the last 4 years, MasterCard has been criticized for their apparent willingness to let Visa play the “bad guy” who issues fines to acquiring banks (and, through them, to merchants), who extends the PCI standards to application vendors (through PABP, now PA-DSS) and who generally takes the heat for PCI.
Now MasterCard is taking what can only be called a “get tough” policy, issuing larger fines and, most significantly, forcing both Level 1 and Level 2 merchants to use assessors rather than take on the task of self-assessment. But still, merchants, banks, processors and service providers aren’t happy with MasterCard. They just can’t seem to get a break. After numerous conversations with companies on the receiving end of MasterCard’s “get tough” efforts, I think there are some philosophical issues that need to be highlighted.
The MasterCard mandate to use third party Qualified Security Assessors (QSAs) is a big deal. We’ve heard from several Level 1 and Level 2 merchants that this will affect their PCI compliance project management, increase their assessment costs and change who is running PCI internally. Over the last 1-2 years, our research has found that more Internal Audit departments have added IT talent to take on PCI assessments, sometimes on loan from IT, and sometimes by hiring staff. But MasterCard apparently doesn’t trust these companies and the Internal Audit folks.
One likely result is the shifting of PCI-related budget money back from Internal Audit to IT, or simply using the Internal Audit PCI funds to hire a QSA. Some internal auditors say this is a step backward. Visa, on the other hand, appears to be satisfied with merchants taking on the task of self-assessment and, according to several merchants and banks, even encourages it. It’s a different philosophy.
The motivation behind MasterCard’s QSA mandate was almost certainly driven by some pretty shoddy self-assessments by some name-brand companies. After all, just because a company has a brand name, doesn’t mean its senior management believes all the consultant hype that you have to spend money on data security to protect your brand by avoiding a security breach.
But my experience with Internal Audit departments tells me that once that department agrees to take on PCI compliance assessments, they spend more time, effort and money on assessments and generally do a better job than most QSAs.
Why? Cost is a huge factor in QSA selection, so QSAs often have to minimize the assessment scope in order to win business. I know many QSAs who are thoroughly ticked off that some of their clients would prefer a less-than-thorough assessment. Many merchants like QSAs who are “easy graders,” which is not a shock. But these same “cheap ass” (to quote one notable QSA) managers have a hard time sitting across the table from the head of internal audit (who often reports to the CFO) trying to make a case for Internal Audit doing a shoddy PCI assessment.
My point is when Internal Audit people own PCI self-assessment, they will typically do the most thorough job. But when IT owns the self-assessment task, the quality of the self-assessment varies directly with the skills and autonomy of the team assembled by the head of security or the PCI project manager.
One of the arguments I’ve heard a half dozen times since the MasterCard announcement is that their insistence that merchants rely on QSAs rather than build up their own self-assessment teams (wherever they may sit) runs counter to efforts to build a “culture of security.” (I swear – people actually said that!) Personally, I think data security folks (including me) are more like a cult, including the secret handshakes.
But either way, I hope we have reached the point where merchants (both IT and senior management) realize that data security is their responsibility, regardless of whether they perform the actual self-assessment or not. After all, the liability and business risk continue to rest with the merchant, whoever does the PCI assessment. Of course, that issue itself does argue for the merchants owning the self-assessment task.
That said, I do think that one of the downside risks of the MasterCard mandate is that it could renew feelings of antagonism between the merchants and the card brands, with both the QSAs and the acquiring banks caught in the middle.
If I had to choose sides, and I don’t, I would probably come down on the side of allowing greater use of self-assessments. Even if some of the self-assessments turned in have been total crap, there is now a “crap detection” (Quality Assurance) process managed by the PCI SSC, as well as reviews by the acquiring banks. But MasterCard has seemingly decided that is not working. They may be right. They have seen lots of these self-assessments. I just think it’s interesting that Visa, which sees as many, or more, of these self-assessments, came to a different conclusion. Speaking of conclusions, I’m done. But, if you’d like to agree or disagree, please visit the PCI Knowledge Base, and our “Contact us” page, or if you want to have a personal discussion about the assessment process, just send me an E-Mail at David.Taylor@KnowPCI.com.
-Marc
August 19th, 2009 at 10:25 am
Dave –
Thanks for another good article at StoreFrontBackTalk. Very interesting topic, but I do have a couple of points that I wanted to raise regarding internal vs. external PCI auditing.
(BTW – in full disclosure, as Dave knows, I work for a security consulting firm that also happens to be a QSA)
1) There is always the argument that a company is going to know their systems and processes better than some outsider coming in for a short period of time to perform an audit.
I’ll actually agree with this idea – any outside firm, unless they have a long history working with a client, does not have nearly the same familiarity and knowledge of a client’s environment as the client’s own team.
That’s one of the reasons why an outside review can be valuable – sometimes there needs to be a bit of separation in order to get a proper perspective, to make certain that assumptions are accurate, and to bring an outside viewpoint into the conversation. But this assumes a certain approach to PCI by the merchant in question… Which get’s me to my second point…
2) Any PCI program should be an extension (or subset) of your overall security program. At its heart it’s not just an audit procedure – it should be viewed within the context of your overall security program.
If a company is focusing on the bigger picture of overall security improvement and is actively assessing systems, finding vulnerabilities, closing gaps in security, updating policies, etc. then I don’t think having the internal audit team perform the PCI audit is necessarily a problem.
Where I do see difficulties is when merchants are looking to ‘just get the damn thing done’ and look at compliance as an exercise unto itself.
In that case, I think finding an outside firm that can provide both PCI auditing and broader security expertise is extremely important.
A good number of the ‘PCI’ clients that we work with actually don’t have us do the audits – we work with them on PCI ‘readiness’ which really means they are working to operationalize security and compliance in a broader sense.
Anyway – just my two cents…
Thanks again for another good article…
August 19th, 2009 at 11:40 am
HI, Alex,
Thanks for your feedback. I certainly agree that PCI needs to “fit” with the overall security program and that getting an external perspective / review of PCI, security, and its business as well as technical implications, is a great idea.
For me the most interesting part about this issue is the underlying assuption (the philosophy) that’s being made about what sources (and what process) creates the “best” assessment.
I appreciate the feedback.
thx, Dave
August 19th, 2009 at 4:46 pm
Re the “culture of security” (or culture of security awareness)– not sure why you find that a surprising term and approach. It has been around for quite some time. Most of us in security strive for such a situation, where our users, developers, management, etc, have an appreciation of security / governance so that they will keep these things in mind when developing new projects, services, etc. It’s a place where security is security et al is built into processes, not slapped on later at great expense and resistance; we want our user community to appreciate the value of security and its role in contributing to the success of business initiatives.
As I tell my colleagues and business users, my job is to help ensure no one tampers with or interferes with their applications, and be part of our competitive advantage by ensuring our applications and services are up and running while our competitors are “off the air” because they are busy dealing with the latest security threats.
As to MasterCard, they seem to be devolving PCI DSS into the SOX free-for-all and money grab. They remind me of power-obsessed grade school teachers who rather than deal with an unruly student, seem to think punishing the whole class will solve the problem.
August 19th, 2009 at 5:05 pm
re: my “culture of security” comment. I suspect sometimes that my sense of humor is lost in my columns. I use quote marks to set off things, but that doesn’t do the trick sometimes. I was trying to get a joke out of “culture” vs “cult” – i am familiar with the term.
Dave T.