The Most Important Question Your QSA Can Ask

Written by Walter Conway
October 21st, 2010

A 403 Labs QSA, PCI Columnist Walt Conway has worked in payments and technology for more than 30 years, 10 of them with Visa.

You can look at PCI DSS as set of 226 questions, all of which ask if you meet each particular requirement. You answer “Yes” or “No,” as appropriate, along with the occasional “Not Applicable” and “Yes, but we do it differently” for a compensating control. Your QSA, however, is likely to ask additional questions. The answers will say a lot about how close you really are to PCI compliance.

The purpose of the questions often is to locate the “unknown unknowns” or to make sure contingencies are addressed. As such, the questions may sound obvious or even silly at first—at least until they succeed in actually uncovering a problem you didn’t know you had.

Every QSA is a little different and brings her/his own particular set of experience and expertise to an assessment. In my case, for example, one question I always ask is: “Can you please show me that?” Most of the time, everything is routine. Sometimes, however, QSAs uncover something that can impact the retailer’s assessment and, more importantly, their security.

For example, I recently visited a client who had implemented a new encryption system. The published encryption algorithm was fine, and during my onsite visit I asked: “Can you please show me a customer record?” When we looked at the user’s screen, the PAN was displayed in cleartext. Clearly, something was wrong. It turned out that the encryption was not actually implemented. Because I asked this simple question, we were able to address the situation quickly.

My favorite question, though—and my own secret weapon, until this column—is different: “What do you do when things go wrong?”

I have heard all kinds of answers from users, ones that have surprised both me and the client’s IT staff. In one case, I asked whether user groups stored any electronic cardholder data. The response was that they did not. Then I asked: “What do you do when the system is down?” It should be noted that by asking this question I have uncovered back-up files stored on thumb drives, CDs and employee-owned laptops. Getting back to my example, the response was: “Oh, I go to my spreadsheet with all the card numbers and I use that.”

In every case, however, the users are neither stupid nor devious. Rather, they are just trying to get their jobs done. As anyone who works in security knows, in the real world, business needs will trump security every time.

Possibly the most important case where my favorite question comes in handy is when assessing compliance with Requirement 12.9—your incident response plan.

Asking “What do you do when things go wrong” has turned up response plans with outdated or missing contact information and contacts who had new responsibilities or were no longer with the company (or the vendor). Sometimes, the plans are stored only in digital format—good luck implementing a response plan when the instructions are on the same device that just got hacked or pulled offline. In times of crisis, the last thing you want to have to do is think. All you want to do is pull the red binder off the shelf and walk through the response plan step by step.

Variations on this question exist. For example, you could ask: “What else?” I once was assigned to work in a secure area where I saw a manager prop open the door at about 10 A.M. The reason: to admit the coffee and tea lady. Because the timing could be a little different each day, it was easier just to leave the door open until the lady and her cart arrived, served the refreshments and left. As a business requirement, coffee and tea trumped security.

There is nothing particularly special or unique about my favorite question. Every retail IT executive should ask it, plus a few of their own. What is your favorite question to ask? I’d like to hear your thoughts. Either leave a comment or E-mail me at


2 Comments | Read The Most Important Question Your QSA Can Ask

  1. Jim K. Says:

    My favorite question is “who does this when you are on vacation or out of the office”. I usually ask this for log reviews, IDS alerts, FIM alerts, wireless, etc.

    The usual answer is one of:
    “I don’t take vacation”
    “I still connect in when I am on vacation to check logs”

  2. Walt Conway Says:


    Thanks for your comment, and that’s a great question. I think I’ll add it to my list.

    BTW, of the three most common answers, the only one I’d believe is the first one (i.e., “Uhh…”).


StorefrontBacktalk delivers the latest retail technology news & analysis. Join more than 60,000 retail IT leaders who subscribe to our free weekly email. Sign up today!

Most Recent Comments

Why Did Gonzales Hackers Like European Cards So Much Better?

I am still unclear about the core point here-- why higher value of European cards. Supply and demand, yes, makes sense. But the fact that the cards were chip and pin (EMV) should make them less valuable because that demonstrably reduces the ability to use them fraudulently. Did the author mean that the chip and pin cards could be used in a country where EMV is not implemented--the US--and this mis-match make it easier to us them since the issuing banks may not have as robust anti-fraud controls as non-EMV banks because they assumed EMV would do the fraud prevention for them Read more...
Two possible reasons that I can think of and have seen in the past - 1) Cards issued by European banks when used online cross border don't usually support AVS checks. So, when a European card is used with a billing address that's in the US, an ecom merchant wouldn't necessarily know that the shipping zip code doesn't match the billing code. 2) Also, in offline chip countries the card determines whether or not a transaction is approved, not the issuer. In my experience, European issuers haven't developed the same checks on authorization requests as US issuers. So, these cards might be more valuable because they are more likely to get approved. Read more...
A smart card slot in terminals doesn't mean there is a reader or that the reader is activated. Then, activated reader or not, the U.S. processors don't have apps certified or ready to load into those terminals to accept and process smart card transactions just yet. Don't get your card(t) before the terminal (horse). Read more...
The marketplace does speak. More fraud capacity translates to higher value for the stolen data. Because nearly 100% of all US transactions are authorized online in real time, we have less fraud regardless of whether the card is Magstripe only or chip and PIn. Hence, $10 prices for US cards vs $25 for the European counterparts. Read more...
@David True. The European cards have both an EMV chip AND a mag stripe. Europeans may generally use the chip for their transactions, but the insecure stripe remains vulnerable to skimming, whether it be from a false front on an ATM or a dishonest waiter with a handheld skimmer. If their stripe is skimmed, the track data can still be cloned and used fraudulently in the United States. If European banks only detect fraud from 9-5 GMT, that might explain why American criminals prefer them over American bank issued cards, who have fraud detection in place 24x7. Read more...

Our apologies. Due to legal and security copyright issues, we can't facilitate the printing of Premium Content. If you absolutely need a hard copy, please contact customer service.