If you have ever been on the receiving end of a PCI assessment, you had one of two reactions to this blog’s title. You said;
- “Yes it is, that’s what I hired you for!”, or;
- “Damned right it’s not yours, the QSA is only here to validate it.”
95% of you are likely in the first group, unless you had someone like me as your assessor. It is not the QSA’s report, it is yours! The QSA is only there to:
- confirm that you have completed your parts of the Report on Compliance’s (RoC) Executive Summary (Sections 1 – 5) correctly;
- edit the QSA relevant sections;
- document the validation results in Section 6 – Findings & Observations; and
- validate the evidence you provide, and for which you are entirely responsible.
A QSA will likely never know your environment as well as you. So if you don’t take FULL responsibility for the contents of your RoC it will be your organisation that it liable for any mistakes, not the QSA. You will also then have absolutely no remedy if you are breached, as your forensic investigation will expose significant differences between the RoC and reality. This is also why you should never, EVER, hide anything from your QSA.
PCI is too often seen as an audit (it’s an assessment), and the QSA an auditor (s/he’s an assessor) and volunteering information is considered a no-no. I have actually had a client say; “But you didn’t ask me about that!”. I always try to explain that I’m a consultant first and there to help. I can’t help if I don’t have all the information. But if I do find out that they’re hiding something from me, any sampling privileges are now out the window.
That’s one of the differences between clients who use their PCI budgets to spend on securing the business, and those who only care about tick-in-the-box compliance. The first type will spend far less in the long run, even if the process does take longer. Not only that, they will likely not only STAY compliant, they will have actually protected their business …their ENTIRE business.
Setting PCI compliance as the end goal is like telling your kids to aim for a C average in school. Even the Card Brands and the SSC themselves have only ever said the DSS is a “minimum set of security controls”. So why would a QSA, whom you have hopefully chosen well (see Selecting the Right QSA for Your Business), take any ownership in a process where the goal is almost never fit for purpose?
Anyone who thinks that the PCI assessment process is structured, formal, and conducted using well established parameters has never been through one. Every good QSA does their own internal Risk Assessment from day 1, and based on their gut instinct, will determine whether or not validation sampling is even an option. If I don’t trust you, you stay at 100%.
Want to get some benefit from a PCI assessment?:
- Choose the right QSA;
- Tell them EVERYTHING; and
- Take FULL ownership of both the process and the output.
It’s your RoC, accept it.
[If you liked this article, please share! Want more like it, subscribe!]