PA DSS: What To Do When Best Practices Become Mandatory

In this week's column, GuestView writer David Taylor raised an unusually frightening question when discussing PCI application assessments: "Who is going to report 'questionable' assessments of vendor applications when neither of the parties to the process (the vendor and the assessor) has any motivation to do so?"

To a lesser extent, it's a legitimate question for PCI assessments of retail operations, as well. But with retailers, there is a theoretical incentive that a retailer doesn't want to get breached and is relying on the assessment to help identify any weaknesses.

Although such an incentive would exist for application vendors, ISVs are slightly more insulated from such fears, as they are one step removed. Larger ISVs—who tend to attract lawsuits as well as any deep-pocketed company—and especially conscientious small app vendors might have enough enlightened self-interest to care. But what about the legions of midsize application vendors that are looking to cut costs?

The nightmare scenario plays itself out something like this: Apathetic ISV wants its app certified but nothing more, so the ISV shops for an assessor firm and looks only for the lowest price. There are assessment firms that pitch the lowest price, and they are only too happy to make the assessment as quick, painless and profitable (and useless) as possible.

That brings us back to Taylor's argument: If both sides want to cut costs, who is there to stop them?

Some assessors this week argued that such corner-cutting is happening today and will likely only skyrocket. To be fair, assessors have a strong incentive to make retailers scared of seeking the lowest price, and a higher price does help with those margins. But some of their tales are worth listening to.

Said one QSA, who asked that he not be identified: "I bid on a project where the software application vendor insisted the only way he was going to allow the app to be reviewed (was by a Web streaming application demo) because he lived 4 hours away and didn't think that, for the money he was willing to pay, anyone would want to drive to his office. We ultimately lost the deal because someone underbid our already too low price and thus, whoever did the work, they probably did the whole project by Webex and probably one that had a one-hour time limit."

Another QSA said he had also seen assessors phoning in assessments. "It really sums up what we are up against and the risk to the guy at the bottom of the PCI foodchain: the merchant. POS vendors who don't see the value—only the cost—gravitate toward the lowest cost auditor to get their tick mark a cheaply as possible," he said. "Unfortunately, as in this case, merchants are left with a false sense of security because their vendor got the stamp of approval. In the event of an incident, the auditors who have jumped on the overnight PCI gravy train will likely disappear at the first sniff of litigation, leaving the affected developers and merchants swinging."

I think it's safe to say that, today, the vast majority of assessors are professional and careful. But as the deadline for application certification quickly approaches, the number of low-cost fly-by-night assessors will undoubtedly soar, especially as ISVs start to panic that they'll be left off of the magic list.

That's the problem with checkmark security. Will ISVs earn their marks? Or will it live up to its name and become a retail quid pro quo: An even exchange of one check for one mark. And a race to see which will end up with the lowest value.