This is page 2 of:
Re-Thinking PCI Assessor Selection: Does Quality Matter?
So what is the downside if you decide to “go cheap” and just hire whatever QSA your acquirer “encourages” you to use, or whoever gives you the best price, or who guarantees compliance? One answer: Your job and your reputation. If you (or a committee that includes you) hire a QSA company primarily based on price and/or “flexibility,” the risk of a breach will be higher, and the risk that the breach will compromise a larger amount of confidential data is also higher.
But the more immediate problem is that if you use a bargain basement QSA, your Report on Compliance (ROC) is more likely to be bounced by your acquirer or the PCI SSC’s Quality Assurance team. That will lead to more work for you and, more importantly, could be an embarrassment that could cost you the respect of upper management, even if they are the ones who told you to cut the QSA budget.
As much as people like to complain about the PCI compliance assessment process, I would estimate that 80 percent of the people I talk to for our research personally care about security. That is why, in the long run, it’s better to hire a QSA company that does a good job, has great references, knows your industry, understands business risk as well as compliance, and won’t just “give in” if somebody challenges them.
Yes, achieving compliance may not be terribly meaningful beyond avoiding fines. But it’s a way to improve the security of the business and the process helps ensure actions are taken. So, despite the cynicism about the “no win scenario,” we, and our companies, are winners if we simply reduce risk as best we can, given the constraints under which we operate in our business.
We started out seriously cynical and ended up just plain serious. I am very interested in what companies are doing as they reverse the mindset from increased self-assessment to the use of QSAs. I especially would like to talk to anyone doing a QSA assessment or who would like to help us improve our QSA selection RFP template. So, please visit the PCI Knowledge Base, and our “Contact us” page, or if you want to have a personal discussion about assessment selection, just send me an E-Mail at David.Taylor@KnowPCI.com.
-Marc
August 26th, 2009 at 4:13 pm
“But the more immediate problem is that if you use a bargain basement QSA, your Report on Compliance (ROC) is more likely to be bounced by your acquirer or the PCI SSC’s Quality Assurance team.”
If that its the case, it only server to further proves what a crock PCI DSS and the QSA qualification process are. If an ROC is going to be rejected by the acquirer or the PCI SSC — the vary organization that said the QSA in question is qualified! — their credibility is out the window.
How can the PCI SSC have it both ways — telling us a specific QSA is qualified to do the assessments, and then reject the ROC from that QSA? Even a first year law student could win that court case me!
August 26th, 2009 at 11:22 pm
Hi, Cranston,
I agree that just taking a 2 day training class (and paying a bunch of money) to become a QSA is not exactly a high hurdle. There’s a long list of QSA companies and they’re certainly not all equal. I have talked with acquirers and other assessors who are skeptical of certain QSA companies, who have “reputations” as being easy. But there is actually far more variation by individual QSA than there is by company, according to a great number of our interviews with merchants, banks, service providers, and the QSAs themselves. I suggest you search our research DB for comments from our anonymous interviews about specific companies, or you can post questions to others in our discussion forums – you can do so anonymously if you wish. If you would like to discuss this, just email me. (david.taylor@knowpci.com). Thanks, Dave
August 27th, 2009 at 10:00 am
Pick a QSA that has something to lose – a 5 man shop has a lot less to lose than the partner signing the ROC at a Big Four firm.
There is a reason why you pay a premium at these types of firms.
August 28th, 2009 at 1:28 pm
@bob
“Pick a QSA that has something to lose – a 5 man shop has a lot less to lose than the partner signing the ROC at a Big Four firm. There is a reason why you pay a premium at these types of firms.”
Ah, yes — the same Big Four who’s activities brought us Enron and SOX. I suspect it’s *not* that they really have more to lose (seems to me these firms made a killing from SOX which was brought in to “fix” of the very problems they caused), but just that they have more resources to cause the PCI SSC pain and greif if they ever were challeneged.
August 28th, 2009 at 2:10 pm
I wanted to see if I could get a soft copy of the pci qsa article by David Taylor. It looks like a nice capsule summary of conversations my customers have had.
Thanks,
mark
August 31st, 2009 at 6:29 pm
Wouldn’t it be best to hire the QSA company that is also listed as one of the very select and few QIRAs also? After all, if you attain compliancy and then get breached, assuming you changed nothing, how could the PCI SSC ever come back and say your company was not compliant when the assessment was done not only by a QSA but one they have hand-anointed as a QIRA? That seems a sure-fire slippery slope for the PCI SSC if I ever saw one. Would the assessor investigate themselves? I think PCI SSC needs to re-think the QIRA list.
September 2nd, 2009 at 2:06 pm
The question is not just picking up a good QSA. Do we need to drive or be driven?
Its what the internal security team lays a strategy and plans and implements for data security rather than go get a PCI certification which is not an end in itself.
Its like a chain is as strong as the weakest link. The corporates have to pass budgets in time, plan for mitigation of risks which most of the time is legacy driven and ask ourselves “how do i improve this further?” Nevertheless, meeting the PCI standards is necessary but it does’nt cost running an extra mile to safegaurd the trust reposed by customers of their card data with us.
September 18th, 2009 at 11:10 am
@Chris Miller
“Wouldn’t it be best to hire the QSA Company that is also listed as one of the very select and few QIRAs also?”
If a Merchant has been breach, and QSA from Company X has submitted a passing ROC, then that Merchant needs to call QIRA Y or Z. Company X can not do the investigation.
While I do agree that the 7 on the list is short sited from the amount of other forensic firms. Lets hope that the SSC adjusts the list once they take over the QIRA program later this year.
Cheers,
Chris
September 18th, 2009 at 8:18 pm
If brands would invest in security and stop relying on other people to protect their magnetic stripe data for them, we wouldn’t need QSAs at all.