The Most Important Question Your QSA Can Ask

A 403 Labs QSA, PCI Columnist Walt Conway has worked in payments and technology for more than 30 years, 10 of them with Visa.

You can look at PCI DSS as set of 226 questions, all of which ask if you meet each particular requirement. You answer "Yes" or "No," as appropriate, along with the occasional "Not Applicable" and "Yes, but we do it differently" for a compensating control. Your QSA, however, is likely to ask additional questions. The answers will say a lot about how close you really are to PCI compliance.

The purpose of the questions often is to locate the "unknown unknowns" or to make sure contingencies are addressed. As such, the questions may sound obvious or even silly at first—at least until they succeed in actually uncovering a problem you didn't know you had.

Every QSA is a little different and brings her/his own particular set of experience and expertise to an assessment. In my case, for example, one question I always ask is: "Can you please show me that?" Most of the time, everything is routine. Sometimes, however, QSAs uncover something that can impact the retailer's assessment and, more importantly, their security.

For example, I recently visited a client who had implemented a new encryption system. The published encryption algorithm was fine, and during my onsite visit I asked: "Can you please show me a customer record?" When we looked at the user's screen, the PAN was displayed in cleartext. Clearly, something was wrong. It turned out that the encryption was not actually implemented. Because I asked this simple question, we were able to address the situation quickly.

My favorite question, though—and my own secret weapon, until this column—is different: "What do you do when things go wrong?"

I have heard all kinds of answers from users, ones that have surprised both me and the client's IT staff. In one case, I asked whether user groups stored any electronic cardholder data. The response was that they did not. Then I asked: "What do you do when the system is down?" It should be noted that by asking this question I have uncovered back-up files stored on thumb drives, CDs and employee-owned laptops. Getting back to my example, the response was: "Oh, I go to my spreadsheet with all the card numbers and I use that."

In every case, however, the users are neither stupid nor devious. Rather, they are just trying to get their jobs done. As anyone who works in security knows, in the real world, business needs will trump security every time.

Possibly the most important case where my favorite question comes in handy is when assessing compliance with Requirement 12.9—your incident response plan.

Asking "What do you do when things go wrong" has turned up response plans with outdated or missing contact information and contacts who had new responsibilities or were no longer with the company (or the vendor). Sometimes, the plans are stored only in digital format—good luck implementing a response plan when the instructions are on the same device that just got hacked or pulled offline. In times of crisis, the last thing you want to have to do is think. All you want to do is pull the red binder off the shelf and walk through the response plan step by step.

Variations on this question exist. For example, you could ask: "What else?" I once was assigned to work in a secure area where I saw a manager prop open the door at about 10 A.M. The reason: to admit the coffee and tea lady. Because the timing could be a little different each day, it was easier just to leave the door open until the lady and her cart arrived, served the refreshments and left. As a business requirement, coffee and tea trumped security.

There is nothing particularly special or unique about my favorite question. Every retail IT executive should ask it, plus a few of their own. What is your favorite question to ask? I'd like to hear your thoughts. Either leave a comment or E-mail me at [email protected].