Comments on: Re-Thinking PCI Assessor Selection: Does Quality Matter?

By: Matt Harrigan

Matt Harrigan — Sat, 19 Sep 2009 00:18:30 +0000

If brands would invest in security and stop relying on other people to protect their magnetic stripe data for them, we wouldn’t need QSAs at all.

By: Chris

Chris — Fri, 18 Sep 2009 15:10:24 +0000

@Chris Miller
“Wouldn’t it be best to hire the QSA Company that is also listed as one of the very select and few QIRAs also?”

If a Merchant has been breach, and QSA from Company X has submitted a passing ROC, then that Merchant needs to call QIRA Y or Z. Company X can not do the investigation.

While I do agree that the 7 on the list is short sited from the amount of other forensic firms. Lets hope that the SSC adjusts the list once they take over the QIRA program later this year.

Cheers,
Chris

By: Ramachandra Putti

Ramachandra Putti — Wed, 02 Sep 2009 18:06:06 +0000

The question is not just picking up a good QSA. Do we need to drive or be driven?

Its what the internal security team lays a strategy and plans and implements for data security rather than go get a PCI certification which is not an end in itself.

Its like a chain is as strong as the weakest link. The corporates have to pass budgets in time, plan for mitigation of risks which most of the time is legacy driven and ask ourselves “how do i improve this further?” Nevertheless, meeting the PCI standards is necessary but it does’nt cost running an extra mile to safegaurd the trust reposed by customers of their card data with us.

By: Chris Miller

Chris Miller — Mon, 31 Aug 2009 22:29:02 +0000

Wouldn’t it be best to hire the QSA company that is also listed as one of the very select and few QIRAs also? After all, if you attain compliancy and then get breached, assuming you changed nothing, how could the PCI SSC ever come back and say your company was not compliant when the assessment was done not only by a QSA but one they have hand-anointed as a QIRA? That seems a sure-fire slippery slope for the PCI SSC if I ever saw one. Would the assessor investigate themselves? I think PCI SSC needs to re-think the QIRA list.

By: mark sullivan

mark sullivan — Fri, 28 Aug 2009 18:10:47 +0000

I wanted to see if I could get a soft copy of the pci qsa article by David Taylor. It looks like a nice capsule summary of conversations my customers have had.
Thanks,
mark

By: Cranston Snoard

Cranston Snoard — Fri, 28 Aug 2009 17:28:55 +0000

@bob
“Pick a QSA that has something to lose – a 5 man shop has a lot less to lose than the partner signing the ROC at a Big Four firm. There is a reason why you pay a premium at these types of firms.”

Ah, yes — the same Big Four who’s activities brought us Enron and SOX. I suspect it’s *not* that they really have more to lose (seems to me these firms made a killing from SOX which was brought in to “fix” of the very problems they caused), but just that they have more resources to cause the PCI SSC pain and greif if they ever were challeneged.

By: bob

bob — Thu, 27 Aug 2009 14:00:22 +0000

Pick a QSA that has something to lose – a 5 man shop has a lot less to lose than the partner signing the ROC at a Big Four firm.

There is a reason why you pay a premium at these types of firms.

By: Dave Taylor

Dave Taylor — Thu, 27 Aug 2009 03:22:29 +0000

Hi, Cranston,
I agree that just taking a 2 day training class (and paying a bunch of money) to become a QSA is not exactly a high hurdle. There’s a long list of QSA companies and they’re certainly not all equal. I have talked with acquirers and other assessors who are skeptical of certain QSA companies, who have “reputations” as being easy. But there is actually far more variation by individual QSA than there is by company, according to a great number of our interviews with merchants, banks, service providers, and the QSAs themselves. I suggest you search our research DB for comments from our anonymous interviews about specific companies, or you can post questions to others in our discussion forums – you can do so anonymously if you wish. If you would like to discuss this, just email me. (david.taylor@knowpci.com). Thanks, Dave

By: Cranston Snoard

Cranston Snoard — Wed, 26 Aug 2009 20:13:35 +0000

“But the more immediate problem is that if you use a bargain basement QSA, your Report on Compliance (ROC) is more likely to be bounced by your acquirer or the PCI SSC’s Quality Assurance team.”

If that its the case, it only server to further proves what a crock PCI DSS and the QSA qualification process are. If an ROC is going to be rejected by the acquirer or the PCI SSC — the vary organization that said the QSA in question is qualified! — their credibility is out the window.

How can the PCI SSC have it both ways — telling us a specific QSA is qualified to do the assessments, and then reject the ROC from that QSA? Even a first year law student could win that court case me!