Jun 17 2009
Branden Williams at Verisign just posted that MasterCard is now requiring an on-site assessment for all Level 2 Merchants by a QSA. This is huge because the Level 2 Merchant merchants have historically been able to simply fill out a Self-Assessment Questionnaire (SAQ) and call their PCI compliance done. According to Branden, 30% of the answers merchants have been giving on the SAQ’s have been wrong and I’m willing to bet the wrong answers are little areas of compliance like log management and encryption. You know, the small things that can be fixed by throwing a ton of money and time at them, if you have either in the current economy.
From a business perspective for QSA’s and their companies, this is huge. The compitition to provide services to Level 1 Merchants and Service Providers hasn’t hit it’s peak yet, but it’s much harder than it was a couple of years ago. I doubt many sales people were sweating and wondering how they were going to make their quota yet, but know they could see the issue coming. Now they just have to go back and look at all the Level 2’s who they’ve been providing othe services for and they can start making all those calls to upgrade to having that QSA come on-site.
This might be a good time for someone with access to such statistics to take a baseline of comprimise statistics and start seeing if the PCI requirements really are making us more secure or not! Rather than having the constant argument of “it’s working/it’s just smoke and mirrors”, take a snapshot of what we know right now and let’s see if making the Level 2 Merchants have an on-site assessment is really working. The Verizon Breach Report may be an excellent starting place for such statistics, especially when we’re able to review the stats year over year. We won’t really be able to make the call until after the December 31st, 2010 deadline, but we need to get that baseline measurement in place now so we can see the affect.
I am guessing that there’s going to be a lot of QSA companies that get bigger this year as well as a whole slew of new companies started just to deal with the Level 2 Merchants. I’m hoping that the quality of the assessors doesn’t fall because of the huge influx of QSA’s we’re needing to handle the work. I have a pretty good idea what some of my collegues in the security field have of existing QSA’s, so I really don’t want them to have more ammunition to use in the battle over whether or not PCI is effective.