Comments on: They didn’t just hack Heartland http://www.mckeay.net/2009/08/18/they-didnt-just-hack-heartland/ The views of one man on security, privacy and anything else that catches his attention. The views expressed on this blog do not reflect the views of my employer or anyone other than myself. Thu, 02 Feb 2012 21:45:54 +0000 hourly 1 http://wordpress.org/?v= By: PCI QSA http://www.mckeay.net/2009/08/18/they-didnt-just-hack-heartland/comment-page-1/#comment-5031 PCI QSA Fri, 21 Aug 2009 12:11:03 +0000 http://www.mckeay.net/2009/08/18/they-didnt-just-hack-heartland/#comment-5031 I think it is not uncommon that organisations are let down by their PCI QSA's - especially given the broad technical domains covered in the standard and skillsets required. Many consultancies try and provide all the required services, where they clearly do not have the skills, but are worried a competitor may come in and take over their account. On some of our PCI engagements the web application testing piece has been previously conducted by other consultancies and missed key vulnerabilities that we have found in a few minutes just using a browser and some invalid data. If we are the organisation signing off the final audit, it is our right as a QSA to reject that previous test results if we can demonstrate that it has not been performed with the right level of diligence. In the long run this benefits the customer too. I think it is not uncommon that organisations are let down by their PCI QSA’s – especially given the broad technical domains covered in the standard and skillsets required. Many consultancies try and provide all the required services, where they clearly do not have the skills, but are worried a competitor may come in and take over their account.

On some of our PCI engagements the web application testing piece has been previously conducted by other consultancies and missed key vulnerabilities that we have found in a few minutes just using a browser and some invalid data. If we are the organisation signing off the final audit, it is our right as a QSA to reject that previous test results if we can demonstrate that it has not been performed with the right level of diligence. In the long run this benefits the customer too.

]]>