This is page 2 of:

Why Are You More Afraid Of A QSA Than A Cyberthief?

December 16th, 2009

In another case, the client decided to scan user workstations for stored cardholder data. The finance director wanted her department’s computers to be scanned first. She wanted to communicate to the whole company that we were searching for rogue data. We were not looking to assign blame. She told me she hoped we would find some data that wasn’t supposed to be there so she could demonstrate that we were focused on going forward, not backward. She’s one of my PCI heroes.

We Are On The Same Side

At each PCI Community Meeting, there is a QSA-only session with the Council’s Technical Working Group, which represents the five card brands. These closed-door sessions can get pretty contentious, especially where DSS requirements are perceived to conflict with merchant and processor business realities. QSAs use these sessions to present the merchant’s perspective and argue for additional guidance or flexibility or changes to the Standard. It’s a shame merchants can’t attend to witness some of this stance.

Sometimes the QSA is in an untenable position. Take Requirement 11.2.b, which mandates four quarterly passing scans over the previous year. This requirement is sensible. But let’s say you, the merchant, missed a quarterly scan. Maybe there was staff turnover or you reorganized or somebody got hit by a beer truck. Whatever the reason, you missed a quarterly scan. And unless we can summon Dr. Who and his time-travel talents, you aren’t likely to be able to go back and fix it. The QSA is supposed to enforce the Requirement and, therefore, can’t sign-off on your being compliant. As a non-compliant merchant, you are in trouble with your boss and your acquirer. If you are a non-compliant processor, you go off Visa’s list of approved service providers and maybe out of business.

Trust me, QSAs do not enjoy these situations. QSAs have argued the case for some flexibility on this requirement, and recent guidance from the Council indicates there may be flexibility in some cases. If you end up benefitting from this or some similar situation, you might want to thank your QSA.

Please understand: Neither the Council nor the Standard is the common enemy. I am a fan of PCI as the best thing we have. It’s not perfect, but it has raised security awareness like nothing else before it. The Council is listening, and a lot of good people work there. I just want to share a dirty little secret with you: Sometimes your QSA actually is on your side.

Life Is Like Basketball

I feel that life is like the game of basketball: It’s all about whoever touches the ball last. If I buy a prepared meal and everybody likes it, I get the credit. If I open a bottle of wine and it’s corked, I get the criticism. In neither case did I really do anything. I was just the last one to touch the ball.

Many QSAs spend time describing the business needs and PCI challenges of retailers (and hotels and airlines and telecoms and universities) to the Council. QSAs go to the mat for their clients (I know I do) for a compensating control or a favorable interpretation of a requirement. Because they also get to deliver the bad news, though, QSAa are the bad guys.

At least for me, I refuse to be perceived as an adversary of either my clients or the Council. We are all in this together, and we can make it easier all around–and your environment a whole lot more secure–if we work together.

I’m interested to know what you think. Am I naïve? Am I too taken with the generosity of the holiday season? What am I missing? Are IT professionals–white hats and black hats–kindred spirits and QSAs the ones crashing the party? Leave a comment below or send me an E-mail at


3 Comments | Read Why Are You More Afraid Of A QSA Than A Cyberthief?

  1. Ryan Barnett Says:

    I work for Web Application Firewall (WAF) vendor Breach Security and I couldn’t agree with you more about the unfortunate *gotcha* related to merchants attempting to address Requirement 6.6 by deploying a WAF however they never move into an actual blocking configuration. The intent of 6.6 is Remediation and if you aren’t blocking with your WAF then you missed the point. Another interesting topic related to PCI and WAFs is how should a merchant configure their WAF to handle ASV traffic? Should they whitelist the ASV domain entirely? Should they do their normal blocking? Seems as though each QSA has a different view on this topic :) There are valid reasons for each camp.

  2. Biff Matthews Says:

    I believe the issue is one of expense, the known absolute expense of addressing an assessor’s finding versus the unknown and possibly no expense if a breach does not occur.
    What is the probability of being breached, therefore the cost versus the cost of implementing greater security that may or may not be breachable.
    The fact that one is judged to be not in compliance by the mere fact that it is breached even after adhering to all the PCI requirements is another oxymoron.
    PCI in my opinin is a fear tactic by the card associations to drive the small and medium size players from the acquiring business in an effort to reduce the number of members they must manage therefore dramatically reducing the association’s overhead.

  3. Walt Conway Says:

    Thanks for the comment, Biff. I do want to take issue a little with two points you make.

    You imply that the cost of a breach is less than the cost of compliance. I disagree. While I agree that the probability of a breach may be low, it is growing, and with the high financial, legal, infrastructure, business interruption, and brand damage costs associated with a breach, the cost of compliance is lower. I really believe (and I’ll admit to some bias) that the cost of compliance is less than the cost of noncompliance, even if we adjust the cost of noncompliance by the probability of a breach, i.e., Pr (breach) * breach cost > compliance cost.

    You mention that “one is judged to be not in compliance by the mere fact that it [the merchant] is breached even after adhering to all the PCI requirements.” I don’t think I can agree with you on that one, either. The Council and the brands have said that no merchant that suffered a data breach was ever found to be PCI compliant at the time of the breach. I am not a big fan of that statement, at least partly because it seems to taunt every bad guy out there. Nevertheless, their forensics bear them out. The statement about not being compliant is based on the forensic investigation identifying the source of the breach, not the sole fact that a breach occurred.

    Besides, PCI is a data protection standard, not a security standard. I could argue that PCI assumes your systems will be breached, and that is why you need to protect the cardholder data you are storing.


StorefrontBacktalk delivers the latest retail technology news & analysis. Join more than 60,000 retail IT leaders who subscribe to our free weekly email. Sign up today!

Most Recent Comments

Why Did Gonzales Hackers Like European Cards So Much Better?

I am still unclear about the core point here-- why higher value of European cards. Supply and demand, yes, makes sense. But the fact that the cards were chip and pin (EMV) should make them less valuable because that demonstrably reduces the ability to use them fraudulently. Did the author mean that the chip and pin cards could be used in a country where EMV is not implemented--the US--and this mis-match make it easier to us them since the issuing banks may not have as robust anti-fraud controls as non-EMV banks because they assumed EMV would do the fraud prevention for them Read more...
Two possible reasons that I can think of and have seen in the past - 1) Cards issued by European banks when used online cross border don't usually support AVS checks. So, when a European card is used with a billing address that's in the US, an ecom merchant wouldn't necessarily know that the shipping zip code doesn't match the billing code. 2) Also, in offline chip countries the card determines whether or not a transaction is approved, not the issuer. In my experience, European issuers haven't developed the same checks on authorization requests as US issuers. So, these cards might be more valuable because they are more likely to get approved. Read more...
A smart card slot in terminals doesn't mean there is a reader or that the reader is activated. Then, activated reader or not, the U.S. processors don't have apps certified or ready to load into those terminals to accept and process smart card transactions just yet. Don't get your card(t) before the terminal (horse). Read more...
The marketplace does speak. More fraud capacity translates to higher value for the stolen data. Because nearly 100% of all US transactions are authorized online in real time, we have less fraud regardless of whether the card is Magstripe only or chip and PIn. Hence, $10 prices for US cards vs $25 for the European counterparts. Read more...
@David True. The European cards have both an EMV chip AND a mag stripe. Europeans may generally use the chip for their transactions, but the insecure stripe remains vulnerable to skimming, whether it be from a false front on an ATM or a dishonest waiter with a handheld skimmer. If their stripe is skimmed, the track data can still be cloned and used fraudulently in the United States. If European banks only detect fraud from 9-5 GMT, that might explain why American criminals prefer them over American bank issued cards, who have fraud detection in place 24x7. Read more...

Our apologies. Due to legal and security copyright issues, we can't facilitate the printing of Premium Content. If you absolutely need a hard copy, please contact customer service.