5 “Buts” Your QSA Doesn’t Want to Hear
Date published:
Feb 3, 2022
Qualified Security Assessors like me are conducting annual PCI assessments year-round, so while your assessment may seem like an “it’s that time of the year again” activity, our interaction with your business often involves common themes. For example, we QSAs often hear a lot of sentences that begin with the word “but”—and many of these “buts” come from misconceptions about the data security processes or technologies the client has implemented.
Below are 5 “buts” I hear on a regular basis, along with an explanation of why QSAs like myself cringe when clients use them:
1. But our application is PA-DSS certified…
Well, it is certainly a good thing to have a PA-DSS certified application handling payment application functions within an organization. For some merchants, it’s almost a requirement of doing business these days. However, regardless of what some sales guy says, an application cannot make a merchant organization PCI compliant.
An application’s PA-DSS certification only means that the program can support the entities PCI program and assist the company with being PCI compliant. Even if the implementation manual was followed completely, and the environment is segmented entirely, there are still a vast majority of PCI requirements which must be met.
2. But last year’s assessment…
Stop it right there! Last year’s assessment has nothing to do with this year. PCI DSS validation is a point-in-time assessment. So, regardless of what previous assessors may have let slide, it’s not this year or this point in time, or a previous assessor’s career on the line this time.
This is not about making an organization compliant; this is about protecting cardholders. The threat landscape evolves, which in turn means that the depth and rigor of testing must evolve as well.
3. But our ASV didn’t…
We are not here to assess an ASV. We are here to determine the compliance status and security posture of the client organization. The only answer I have to ASV questions are typically: The organization should have treated Approved Scanning Vendor like any other service provider, determined a course of action, and then fixed the service issues. Would you keep paying a landscaper if they always missed spots in the lawn? Would you just let the spots go because it’s “someone else’s job”? The sad part is that many ASV companies aren’t at fault; in the majority of the issues observed, business processes often broke down and somewhere, the ball was dropped internally.
If a business does not have at least four quarterly external scans (the actual attestation of scan compliance), and it is not their first attempt at PCI validation, then the business is likely non-compliant with that requirement.
4. But we forgot to [insert any control here]…
A broken process does not meet the requirements for a valid compensating control. It can be documented that the processes are effectively in place to support compliance moving forward, but it is not the QSA’s job to determine if a control is risky enough to be highlighted as being in place—that is the job of the acquiring bank.
An example of this is logging. If an organization does not have one year of log files because they have a “new logging system,” should they have a compensating control? In my opinion, not usually. The organization should have made the conscious decision to follow their media retention and destruction policies and retain the log data from the old system in a format which would allow for analysis if required. That organization would be non-compliant and the projected date of compliance with the requirement would be the one-year mark for the logs.
5. But why can’t we just move the dates for our remediation?
Again, the QSA assessment is for this particular point in time. In other words, if at the end of the testing window you are non-compliant, you are non-compliant. Organizations do NOT pay for a compliant report, they pay for a “Report on Compliance” (RoC)—requirements in place or not. How does the management at the acquiring bank (or your own management team for that matter) accept and classify risk properly if they aren’t aware of it? In this day and age, it really is a good thing to have security issues brought to light by a partner instead of a criminal. For businesses that think otherwise, I say good luck and Godspeed.