If you have ever been on the receiving end of a PCI assessment, you had one of two reactions to the title. You said;
- “Yes it is, that’s what I hired you for!”, or;
- “Damned right it’s not yours, the QSA is only here to validate it.”
95% of you are likely in the first group, unless you had someone like me as your assessor. It is not the QSA’s report, it is yours, the QSA is only there to confirm that you have completed your parts of the Report on Compliance’s (RoC) Executive Summary (Sections 1 – 5) correctly, edited their own sections, and documented the validation results in Section 6 – Findings & Observations. Validation of evidence you provide, and for which you are entirely responsible.
A QSA will likely never know your environment as well as you, and if you don’t take FULL responsibility for the contents of your RoC it will be your organisation that it liable for any mistakes, not the QSA. You will also then have absolutely no remedy if you are breached, and your forensic investigation exposes significant differences between the RoC and reality. This is also why you should never, EVER, hide anything from your QSA.
PCI is too often seen as an audit (it’s an assessment), and the QSA an auditor (s/he’s an assessor) and volunteering information is considered a no-no. I have actually heard a client say; “But you didn’t ask me about that!” No matter how many times I’ve tried to explain that I’m a consultant first and there to help, that I can’t help if I don’t have all the information, AND that if I do find out that they’re hiding something from me any sampling they may have be awarded is now out the window, I would still have issues.
That’s one of the differences between clients who use their PCI budgets (and even manipulate their QSA to get MORE budget!) to spend on securing the business, and those who only care about achieving PCI compliance. The first type will spend far less in the long run, even if the process does take longer. Not only that, they will likely not only STAY compliant, they will have actually protected their business …their ENTIRE business.
Setting PCI compliance as the end goal is like telling your kids to aim for a C average in school, and even the Card Brands and the SSC themselves have only ever said the DSS is a “minimum set of security controls”. So why would a QSA, whom you have hopefully chosen well (see Selecting the Right QSA for Your Business), take any ownership in a process where the goal is almost never fit for purpose?
So anyone who thinks that the PCI assessment process is structured, formal, and conducted using well established parameters has never been through an assessment. Every good QSA does their own internal Risk Assessment from day 1, and based on their gut instinct, will determine whether or not validation sampling is even an option. If I don’t trust you, you stay at 100%.
Want to get some benefit from a PCI assessment?:
- Choose the right QSA
- Tell them EVERYTHING
- Take FULL ownership of both the process and the output
It’s your RoC, accept it.