Sep 15 2009
Bill Brenner’s recent article, 4 ways to get the most from your PCI QSAs, hits the nail on the head. His very first point is especially germane in my experience; merchants and service providers need to be sure they’re picking a QSA company that can successfully evaluate their particular environment and is not just the lowest bidder. Too many companies treat PCI and their QSA as a nuisance that they have too put up with for several weeks a year and can ignore the rest of the time.
My best assessment experiences have been with companies that treat PCI and their QSA as a way to effect change in their environment and are honest with themselves and the QSA. I’ve often asked the security manager of a company what they need to do to secure their corporation and what I can do as their consultant to help affect those changes. It’s often surprising how many security measures have been resisted by management when the request is coming from internal security but will be okay’d the moment an external consultant or assessor mentions how the measure will help make compliance easier. I’m sure I’m not the only one who’s ever used an external authority figure, like a QSA, to push for a new tool or policy I needed to secure my enterprise.
Another point in Bill’s article to be especially aware of is that your QSA is going to find weaknesses in your enterprise if they dig. It’s a fact of life that mistakes happen, configurations get changed, policies aren’t written as tightly as they could and that we’re all human. I have yet to discover an enterprise that I couldn’t find some system misconfigured or a minor point of the PCI requirements misinterpreted. The secret is to build a relationship with your assessor before that point so that you feel comfortable with this discovery, that it is taken as a positive event that allows you to learn and that the assessor isn’t a bad guy trying tear down your hard work. Every QSA I’ve ever talked to about it is trying their hardest to help you secure your enterprise and leave you in a better security stance than when they arrived.
The worst experiences I’ve had as a QSA are with companies that thought I was their enemy or that the best way to get through their assessment was to try to distract me from what’s really happening in their enterprise. The best you can hope for under those circumstances is that you’ll pass your assessment, but you won’t actually gain anything from the experience the QSA brings to the table and your enterprise. You may have gotten certified for another year, but it undermines your own security and the effectiveness of the PCI process. In a worst case scenario, you won’t pass your assessment because of what the QSA ends up finding despite your best efforts or you’ll pass your assessment by covering up insecurities and end up being compromised through one of the systems you hid during the assessment.