Why Are You More Afraid Of A QSA Than A Cyberthief?

A 403 Labs QSA, PCI Columnist Walt Conway has worked in payments and technology for more than 30 years, 10 of them with Visa.

Do cybercriminals concern you? Are you afraid that you might lose cardholder data? Are you worried that your internal users are downloading malware from the Web? If you are like most IT executives, you will answer each question with a “yes.” So if that’s the case, I have one more question for you: Why are you more afraid of your QSA than you are of a cyberthief?

Let me give some real-life examples of what I mean.

  • A merchant shows its QSA its Web application firewall (WAF) and asks the QSA to mark it compliant with PCI Requirement 6.6. But the QSA probes deeper, and he finds that the WAF is in “learning” mode, which means it is letting everything through. Indeed, the WAF has been in learning mode since it was installed after the last assessment a year ago, meaning it is pretty useless from a security point of view and definitely not meeting the intent of the requirement.
  • You developed a set of security policies as part of your last assessment. Your QSA comes around the next year and asks to see them, but no one can even find a copy to give her. Clearly the policies--designed to protect you and your assets--haven’t been implemented—or maybe even read.
  • You install an extensive and expensive logging system, but you only monitor and evaluate event reports when the QSA is on site.

In these cases, the merchants are spending the money--often lots of it--but getting no benefit. Each constructs a Potemkin Village of compliance for the QSA’s (and CIO’s?) benefit. It is as though they are more afraid of the QSA than the real bad guys trying to compromise their systems and steal their data.

Are Merchants And QSAs Destined To Do Battle?

I genuinely hope the answer to that question is “no.”

The “A” in QSA stands for “assessor.” It does not stand for “auditor,” and it’s definitely not “adversary.” (Editor's Note: And, typically, it’s not the other word that starts the same as "assessor" but may veer into a different word--although you can sometimes understand the confusion.) As a QSA, my role is not to catch merchants in a false step so I can report them to their acquirer or the PCI Council. The QSA and the client are not competitors: We are partners. At least, we should be partners for compliance to work. I think of the QSA’s role as that of a guide through the compliance process. Maybe we ought to change the designation to QSG?

The relationship can work. I recently conducted a PCI gap analysis during which I asked one user how long he retained the cardholder data on his system. In front of the IT director and me, he replied: “We keep it forever,” in complete violation of the company’s data retention policy. He agreed to change the procedure to come into compliance, and we moved on. That was it. No public flogging, no blame and no reproach. I actually wanted to give him a gold star for being honest. We can deal with any problem so long as we know about it.In another case, the client decided to scan user workstations for stored cardholder data. The finance director wanted her department’s computers to be scanned first. She wanted to communicate to the whole company that we were searching for rogue data. We were not looking to assign blame. She told me she hoped we would find some data that wasn’t supposed to be there so she could demonstrate that we were focused on going forward, not backward. She’s one of my PCI heroes.

We Are On The Same Side

At each PCI Community Meeting, there is a QSA-only session with the Council’s Technical Working Group, which represents the five card brands. These closed-door sessions can get pretty contentious, especially where DSS requirements are perceived to conflict with merchant and processor business realities. QSAs use these sessions to present the merchant’s perspective and argue for additional guidance or flexibility or changes to the Standard. It’s a shame merchants can’t attend to witness some of this stance.

Sometimes the QSA is in an untenable position. Take Requirement 11.2.b, which mandates four quarterly passing scans over the previous year. This requirement is sensible. But let’s say you, the merchant, missed a quarterly scan. Maybe there was staff turnover or you reorganized or somebody got hit by a beer truck. Whatever the reason, you missed a quarterly scan. And unless we can summon Dr. Who and his time-travel talents, you aren’t likely to be able to go back and fix it. The QSA is supposed to enforce the Requirement and, therefore, can’t sign-off on your being compliant. As a non-compliant merchant, you are in trouble with your boss and your acquirer. If you are a non-compliant processor, you go off Visa’s list of approved service providers and maybe out of business.

Trust me, QSAs do not enjoy these situations. QSAs have argued the case for some flexibility on this requirement, and recent guidance from the Council indicates there may be flexibility in some cases. If you end up benefitting from this or some similar situation, you might want to thank your QSA.

Please understand: Neither the Council nor the Standard is the common enemy. I am a fan of PCI as the best thing we have. It’s not perfect, but it has raised security awareness like nothing else before it. The Council is listening, and a lot of good people work there. I just want to share a dirty little secret with you: Sometimes your QSA actually is on your side.

Life Is Like Basketball

I feel that life is like the game of basketball: It’s all about whoever touches the ball last. If I buy a prepared meal and everybody likes it, I get the credit. If I open a bottle of wine and it’s corked, I get the criticism. In neither case did I really do anything. I was just the last one to touch the ball.

Many QSAs spend time describing the business needs and PCI challenges of retailers (and hotels and airlines and telecoms and universities) to the Council. QSAs go to the mat for their clients (I know I do) for a compensating control or a favorable interpretation of a requirement. Because they also get to deliver the bad news, though, QSAa are the bad guys.

At least for me, I refuse to be perceived as an adversary of either my clients or the Council. We are all in this together, and we can make it easier all around--and your environment a whole lot more secure--if we work together.

I’m interested to know what you think. Am I naïve? Am I too taken with the generosity of the holiday season? What am I missing? Are IT professionals--white hats and black hats--kindred spirits and QSAs the ones crashing the party? Leave a comment below or send me an E-mail at [email protected].