PA DSS: What To Do When Best Practices Become Mandatory
Written by Evan SchumanIn this week’s column, GuestView writer David Taylor raised an unusually frightening question when discussing PCI application assessments: "Who is going to report ‘questionable’ assessments of vendor applications when neither of the parties to the process (the vendor and the assessor) has any motivation to do so?"
To a lesser extent, it’s a legitimate question for PCI assessments of retail operations, as well. But with retailers, there is a theoretical incentive that a retailer doesn’t want to get breached and is relying on the assessment to help identify any weaknesses.
Although such an incentive would exist for application vendors, ISVs are slightly more insulated from such fears, as they are one step removed. Larger ISVs—who tend to attract lawsuits as well as any deep-pocketed company—and especially conscientious small app vendors might have enough enlightened self-interest to care. But what about the legions of midsize application vendors that are looking to cut costs?
The nightmare scenario plays itself out something like this: Apathetic ISV wants its app certified but nothing more, so the ISV shops for an assessor firm and looks only for the lowest price. There are assessment firms that pitch the lowest price, and they are only too happy to make the assessment as quick, painless and profitable (and useless) as possible.
That brings us back to Taylor’s argument: If both sides want to cut costs, who is there to stop them?
Some assessors this week argued that such corner-cutting is happening today and will likely only skyrocket. To be fair, assessors have a strong incentive to make retailers scared of seeking the lowest price, and a higher price does help with those margins. But some of their tales are worth listening to.
Said one QSA, who asked that he not be identified: "I bid on a project where the software application vendor insisted the only way he was going to allow the app to be reviewed (was by a Web streaming application demo) because he lived 4 hours away and didn’t think that, for the money he was willing to pay, anyone would want to drive to his office. We ultimately lost the deal because someone underbid our already too low price and thus, whoever did the work, they probably did the whole project by Webex and probably one that had a one-hour time limit."
Another QSA said he had also seen assessors phoning in assessments. "It really sums up what we are up against and the risk to the guy at the bottom of the PCI foodchain: the merchant. POS vendors who don’t see the value—only the cost—gravitate toward the lowest cost auditor to get their tick mark a cheaply as possible," he said. "Unfortunately, as in this case, merchants are left with a false sense of security because their vendor got the stamp of approval. In the event of an incident, the auditors who have jumped on the overnight PCI gravy train will likely disappear at the first sniff of litigation, leaving the affected developers and merchants swinging."
I think it’s safe to say that, today, the vast majority of assessors are professional and careful. But as the deadline for application certification quickly approaches, the number of low-cost fly-by-night assessors will undoubtedly soar, especially as ISVs start to panic that they’ll be left off of the magic list.
That’s the problem with checkmark security. Will ISVs earn their marks? Or will it live up to its name and become a retail quid pro quo: An even exchange of one check for one mark. And a race to see which will end up with the lowest value.
-Marc
September 18th, 2008 at 2:14 pm
Come on David,
Most level 3 and 4 merchants do not have the technical bandwidth or financial resources to own the process or be directly involved with their vendor’s PA DSS assessment. We are talking about mom and pop business here. What is important is that they are not exempt and must deal with the new regulations. We need to help these merchants become secure and compliant. After all, they make up 80% of what drives our economy. The last thing we need to do right now is toss another road block in the way of small business. Let’s think economic recovery!
September 18th, 2008 at 2:50 pm
Good article but I do have to strongly disagree with the solution. The article states: “Merchants simply cannot assume that just because a payment application product is on some long list that there has been a thorough and complete review, comparable to a Level 1 merchant’s PCI DSS assessment. Merchants must review the detailed audit reports and even be directly involved in their vendor’s PA DSS assessment. Merchants must own this process, simply because they own the resulting liability and brand damage.â€
There are several problems with this solution. First, most level 3 & 4 merchants don’t know what PCI is other than some costly regulations being force on them by their merchant service provider and scared into them by various vendors. Second, even with the minority of merchants that truly understand PCI, only a very small percentage of these will be able to decipher a “passing†grade on a particular issue of a PA-DSS assessment report versus an excellent or poor grade. Third, with the larger POS providers, there are not enough hours in a day to educate every level 3 and 4 merchant on the intricacies of a particular PA-DSS assessment.
To tackle the level 3 & 4 merchants, merchants need a PA-DSS approved list to reference. Sure, in a perfect world, every merchant fully understands every aspect of PCI and more importantly, data security. But we don’t live in a perfect world. In our world, only level 1 & 2 merchants can afford full time data security officers that can dedicate the time and resources to audit and review every assessment of every application in use — level 3 & 4 merchants will need lists. Lists that not only comply with PCI, but also convey some assurance to the merchant that the software they are using is truly secure. We need to better control the quality of what goes on the list. The list should also provide a level of liability protection as well for the merchant. Otherwise I would argue that a PA-DSS assessment is a waste of money because it is useless to the parties it is labeled to help the most, the merchant and the cardholder.
September 18th, 2008 at 6:41 pm
The fundamental assumption here is that using a PA-DSS compliant application (by any Merchant) provides protection against liability and brand damage. ISSA just posted a report by Verisign (Hizner and Sundaresan, 10 Tips to HACK the PA-DSS Standard) showing how a compliant payment application was able to be compromised. The smaller merchants are at the mercy of the PCI standards council without a strong voice to advocate on their behalf and with even less knowledge about IT systems or code review. Passing the burden to these smaller merchants is not the prescription to this problem.