Apr 04 2011
I’ve got to love it when a friend writes a post that disproves its own title. For example, my friend Mike just wrote a blog post called “You are Not a Beautiful and Unique Snowflake” in which he goes own to explain that you’re unique, as our your competitors, but that doesn’t give you any reason to expect special treatment. And that’s his real point, that while you may see someone else who’s in the same business, doing the same thing, there’s enough individuality and uniqueness that what appears like special treatment to you is really the outward symptom of the deeper differences between businesses that can only be seen during a thorough inspection of the real workings of the business.
Ask any experienced QSA about the different businesses they’ve worked with over their tenure and you’ll really start getting the feeling that there’s not that much variation in how companies do networking, configure servers and run a web site. That’s only natural, since as human beings we generally tend to focus on how things are alike before we start observing the differences. And from a casual viewpoint, there really aren’t any major differences between similar businesses when you’re taking that sort of 10,000 foot view. But PCI isn’t about the 10,000 foot view, it’s about getting into the nitty gritty details of how credit cards flow through the businesses systems, where it’s stored and all the minutia of how every system that stores, processes or transmits cardholder data is configured. If you consider how hard it is for even one business to configure all of their servers to a set of standards, then thinking about how much variation exists between any two companies, even ones doing the exact same business, should give you a moment of pause.
Where Mike’s most dead on is when he says “You seem to think you know everything there is to know about your competitor, but in all likelihood you do not”. I’m no longer surprised when I go into an assessment and somewhere halfway through a conversation a manager says, “Wait a minute, why haven’t I haven’t heard of this data repository/network connection/export to sales before now?” It’s not a dig against anyone, the fact is most cardholder environments are complex and constantly changing and unless your only job is to dig into the environment on a daily basis, it’s very hard to keep up with what’s where. Assuming you ever actually knew where everything is in the first place. And if it’s not unusual to do this sort of accidental discovery in your own environment, how can anyone assume with any certainty that they understand their competitor’s environments well enough to make a judgment call on compliance?
It’s hard to remember sometimes how much of a difference a little segmentation or minor configuration changes with the exact same equipment configured just a little bit differently can make. And part of the reason you consider someone your competitor is because they’re doing almost the same thing you’re doing, just a little differently. Ask your own sales or marketing department how your product is different from your competitors and I’m willing to bet they could rattle off dozen differences in a couple of minutes. (If they can’t, get a new sales/marketing department!) If marketing knows that there are differences in the products, how can you reasonably expect that your cardholder data environment won’t have similar, nuanced variations? The reality is, you can’t.
Do QSA’s miss things? Yes, every day! Are there QSA’s who ignore things they don’t want to review? Probably, but that’s not an accusation anyone should make without proof. Is you’re environment exactly the same as your competitors? Unless a large part of your crew came from the competitor’s workforce, or vice versa, the chances are slim that when you actually look under the hood of how business is done you’ll find nearly as many similarities between you as you thought. And it’s the ‘devil in the details’ that make all the difference in the world between passing an assessment and not.
Yes, you are beautiful and unique, just like everyone else. And no, neither you nor your competitor are going to get special treatment under the PCI DSS. They’re probably just not as similar as you thought they were.