People don’t seem to “get” MasterCard. For most of the last 4 years, MasterCard has been criticized for their apparent willingness to let Visa play the “bad guy” who issues fines to acquiring banks (and, through them, to merchants), who extends the PCI standards to application vendors (through PABP, now PA-DSS) and who generally takes the heat for PCI.
Now MasterCard is taking what can only be called a “get tough” policy, issuing larger fines and, most significantly, forcing both Level 1 and Level 2 merchants to use assessors rather than take on the task of self-assessment. But still, merchants, banks, processors and service providers aren’t happy with MasterCard. They just can’t seem to get a break. After numerous conversations with companies on the receiving end of MasterCard’s “get tough” efforts, I think there are some philosophical issues that need to be highlighted.
The MasterCard mandate to use third party Qualified Security Assessors (QSAs) is a big deal. We’ve heard from several Level 1 and Level 2 merchants that this will affect their PCI compliance project management, increase their assessment costs and change who is running PCI internally. Over the last 1-2 years, our research has found that more Internal Audit departments have added IT talent to take on PCI assessments, sometimes on loan from IT, and sometimes by hiring staff. But MasterCard apparently doesn’t trust these companies and the Internal Audit folks.
One likely result is the shifting of PCI-related budget money back from Internal Audit to IT, or simply using the Internal Audit PCI funds to hire a QSA. Some internal auditors say this is a step backward. Visa, on the other hand, appears to be satisfied with merchants taking on the task of self-assessment and, according to several merchants and banks, even encourages it. It’s a different philosophy.
The motivation behind MasterCard’s QSA mandate was almost certainly driven by some pretty shoddy self-assessments by some name-brand companies. After all, just because a company has a brand name, doesn’t mean its senior management believes all the consultant hype that you have to spend money on data security to protect your brand by avoiding a security breach.
But my experience with Internal Audit departments tells me that once that department agrees to take on PCI compliance assessments, they spend more time, effort and money on assessments and generally do a better job than most QSAs.
Why? Cost is a huge factor in QSA selection, so QSAs often have to minimize the assessment scope in order to win business. I know many QSAs who are thoroughly ticked off that some of their clients would prefer a less-than-thorough assessment. Many merchants like QSAs who are “easy graders,” which is not a shock. But these same “cheap ass” (to quote one notable QSA) managers have a hard time sitting across the table from the head of internal audit (who often reports to the CFO) trying to make a case for Internal Audit doing a shoddy PCI assessment.
My point is when Internal Audit people own PCI self-assessment, they will typically do the most thorough job. But when IT owns the self-assessment task, the quality of the self-assessment varies directly with the skills and autonomy of the team assembled by the head of security or the PCI project manager.
One of the arguments I’ve heard a half dozen times since the MasterCard announcement is that their insistence that merchants rely on QSAs rather than build up their own self-assessment teams (wherever they may sit) runs counter to efforts to build a “culture of security.” (I swear – people actually said that!) Personally, I think data security folks (including me) are more like a cult, including the secret handshakes.
But either way, I hope we have reached the point where merchants (both IT and senior management) realize that data security is their responsibility, regardless of whether they perform the actual self-assessment or not. After all, the liability and business risk continue to rest with the merchant, whoever does the PCI assessment. Of course, that issue itself does argue for the merchants owning the self-assessment task.
That said, I do think that one of the downside risks of the MasterCard mandate is that it could renew feelings of antagonism between the merchants and the card brands, with both the QSAs and the acquiring banks caught in the middle.
If I had to choose sides, and I don’t, I would probably come down on the side of allowing greater use of self-assessments. Even if some of the self-assessments turned in have been total crap, there is now a “crap detection” (Quality Assurance) process managed by the PCI SSC, as well as reviews by the acquiring banks. But MasterCard has seemingly decided that is not working. They may be right. They have seen lots of these self-assessments. I just think it’s interesting that Visa, which sees as many, or more, of these self-assessments, came to a different conclusion. Speaking of conclusions, I’m done. But, if you’d like to agree or disagree, please visit the PCI Knowledge Base, and our “Contact us” page, or if you want to have a personal discussion about the assessment process, just send me an E-Mail at [email protected].