PA DSS: What To Do When Best Practices Become Mandatory

Written by Evan Schuman
September 18th, 2008

In this week’s column, GuestView writer David Taylor raised an unusually frightening question when discussing PCI application assessments: "Who is going to report ‘questionable’ assessments of vendor applications when neither of the parties to the process (the vendor and the assessor) has any motivation to do so?"

To a lesser extent, it’s a legitimate question for PCI assessments of retail operations, as well. But with retailers, there is a theoretical incentive that a retailer doesn’t want to get breached and is relying on the assessment to help identify any weaknesses.

Although such an incentive would exist for application vendors, ISVs are slightly more insulated from such fears, as they are one step removed. Larger ISVs—who tend to attract lawsuits as well as any deep-pocketed company—and especially conscientious small app vendors might have enough enlightened self-interest to care. But what about the legions of midsize application vendors that are looking to cut costs?

The nightmare scenario plays itself out something like this: Apathetic ISV wants its app certified but nothing more, so the ISV shops for an assessor firm and looks only for the lowest price. There are assessment firms that pitch the lowest price, and they are only too happy to make the assessment as quick, painless and profitable (and useless) as possible.

That brings us back to Taylor’s argument: If both sides want to cut costs, who is there to stop them?

Some assessors this week argued that such corner-cutting is happening today and will likely only skyrocket. To be fair, assessors have a strong incentive to make retailers scared of seeking the lowest price, and a higher price does help with those margins. But some of their tales are worth listening to.

Said one QSA, who asked that he not be identified: "I bid on a project where the software application vendor insisted the only way he was going to allow the app to be reviewed (was by a Web streaming application demo) because he lived 4 hours away and didn’t think that, for the money he was willing to pay, anyone would want to drive to his office. We ultimately lost the deal because someone underbid our already too low price and thus, whoever did the work, they probably did the whole project by Webex and probably one that had a one-hour time limit."

Another QSA said he had also seen assessors phoning in assessments. "It really sums up what we are up against and the risk to the guy at the bottom of the PCI foodchain: the merchant. POS vendors who don’t see the value—only the cost—gravitate toward the lowest cost auditor to get their tick mark a cheaply as possible," he said. "Unfortunately, as in this case, merchants are left with a false sense of security because their vendor got the stamp of approval. In the event of an incident, the auditors who have jumped on the overnight PCI gravy train will likely disappear at the first sniff of litigation, leaving the affected developers and merchants swinging."

I think it’s safe to say that, today, the vast majority of assessors are professional and careful. But as the deadline for application certification quickly approaches, the number of low-cost fly-by-night assessors will undoubtedly soar, especially as ISVs start to panic that they’ll be left off of the magic list.

That’s the problem with checkmark security. Will ISVs earn their marks? Or will it live up to its name and become a retail quid pro quo: An even exchange of one check for one mark. And a race to see which will end up with the lowest value.


3 Comments | Read PA DSS: What To Do When Best Practices Become Mandatory

  1. Randy Carr, Shift4 Corporation Says:

    Come on David,

    Most level 3 and 4 merchants do not have the technical bandwidth or financial resources to own the process or be directly involved with their vendor’s PA DSS assessment. We are talking about mom and pop business here. What is important is that they are not exempt and must deal with the new regulations. We need to help these merchants become secure and compliant. After all, they make up 80% of what drives our economy. The last thing we need to do right now is toss another road block in the way of small business. Let’s think economic recovery!

  2. Steve Sommers Says:

    Good article but I do have to strongly disagree with the solution. The article states: “Merchants simply cannot assume that just because a payment application product is on some long list that there has been a thorough and complete review, comparable to a Level 1 merchant’s PCI DSS assessment. Merchants must review the detailed audit reports and even be directly involved in their vendor’s PA DSS assessment. Merchants must own this process, simply because they own the resulting liability and brand damage.”

    There are several problems with this solution. First, most level 3 & 4 merchants don’t know what PCI is other than some costly regulations being force on them by their merchant service provider and scared into them by various vendors. Second, even with the minority of merchants that truly understand PCI, only a very small percentage of these will be able to decipher a “passing” grade on a particular issue of a PA-DSS assessment report versus an excellent or poor grade. Third, with the larger POS providers, there are not enough hours in a day to educate every level 3 and 4 merchant on the intricacies of a particular PA-DSS assessment.

    To tackle the level 3 & 4 merchants, merchants need a PA-DSS approved list to reference. Sure, in a perfect world, every merchant fully understands every aspect of PCI and more importantly, data security. But we don’t live in a perfect world. In our world, only level 1 & 2 merchants can afford full time data security officers that can dedicate the time and resources to audit and review every assessment of every application in use — level 3 & 4 merchants will need lists. Lists that not only comply with PCI, but also convey some assurance to the merchant that the software they are using is truly secure. We need to better control the quality of what goes on the list. The list should also provide a level of liability protection as well for the merchant. Otherwise I would argue that a PA-DSS assessment is a waste of money because it is useless to the parties it is labeled to help the most, the merchant and the cardholder.

  3. Kim Singletary, Solidcore Says:

    The fundamental assumption here is that using a PA-DSS compliant application (by any Merchant) provides protection against liability and brand damage. ISSA just posted a report by Verisign (Hizner and Sundaresan, 10 Tips to HACK the PA-DSS Standard) showing how a compliant payment application was able to be compromised. The smaller merchants are at the mercy of the PCI standards council without a strong voice to advocate on their behalf and with even less knowledge about IT systems or code review. Passing the burden to these smaller merchants is not the prescription to this problem.


StorefrontBacktalk delivers the latest retail technology news & analysis. Join more than 60,000 retail IT leaders who subscribe to our free weekly email. Sign up today!

Most Recent Comments

Why Did Gonzales Hackers Like European Cards So Much Better?

I am still unclear about the core point here-- why higher value of European cards. Supply and demand, yes, makes sense. But the fact that the cards were chip and pin (EMV) should make them less valuable because that demonstrably reduces the ability to use them fraudulently. Did the author mean that the chip and pin cards could be used in a country where EMV is not implemented--the US--and this mis-match make it easier to us them since the issuing banks may not have as robust anti-fraud controls as non-EMV banks because they assumed EMV would do the fraud prevention for them Read more...
Two possible reasons that I can think of and have seen in the past - 1) Cards issued by European banks when used online cross border don't usually support AVS checks. So, when a European card is used with a billing address that's in the US, an ecom merchant wouldn't necessarily know that the shipping zip code doesn't match the billing code. 2) Also, in offline chip countries the card determines whether or not a transaction is approved, not the issuer. In my experience, European issuers haven't developed the same checks on authorization requests as US issuers. So, these cards might be more valuable because they are more likely to get approved. Read more...
A smart card slot in terminals doesn't mean there is a reader or that the reader is activated. Then, activated reader or not, the U.S. processors don't have apps certified or ready to load into those terminals to accept and process smart card transactions just yet. Don't get your card(t) before the terminal (horse). Read more...
The marketplace does speak. More fraud capacity translates to higher value for the stolen data. Because nearly 100% of all US transactions are authorized online in real time, we have less fraud regardless of whether the card is Magstripe only or chip and PIn. Hence, $10 prices for US cards vs $25 for the European counterparts. Read more...
@David True. The European cards have both an EMV chip AND a mag stripe. Europeans may generally use the chip for their transactions, but the insecure stripe remains vulnerable to skimming, whether it be from a false front on an ATM or a dishonest waiter with a handheld skimmer. If their stripe is skimmed, the track data can still be cloned and used fraudulently in the United States. If European banks only detect fraud from 9-5 GMT, that might explain why American criminals prefer them over American bank issued cards, who have fraud detection in place 24x7. Read more...

Our apologies. Due to legal and security copyright issues, we can't facilitate the printing of Premium Content. If you absolutely need a hard copy, please contact customer service.