Printer Friendly

Complying with PCI DSS: Assessors may deliver the wrong verdict.

Summary: If you ever wondered why so many companies that had been deemed PCI compliant were breached this past year, you may have thought the problem ...

If you ever wondered why so many companies that had been deemed PCI compliant were breached this past year, you may have thought the problem might lie with the requirements set forth by the Payment Card Industry Data Security Standards (PCI DSS). That's probably not the case, as the standards are some of the most comprehensive ones in IT security.

Usually when PCI-compliant companies are breached, the real culprit is the assessor, the person who confirmed the company had met the PCI Requirements. The PCI Requirements were created so that organizations would focus on securing their networks, but many assessors only focus on meeting the requirements rather than security. Just as a judge or jury may reach a wrong verdict, so too do security assessors when assessing a network, which is why companies should be selective when choosing an assessor.

All organizations that accept, transmit or store any credit card information, including those that use a third-party processor, must be PCI compliant at all times. Failure to do so could mean steep fines and penalties. The PCI Requirements are so rigorous that many assessors don't thoroughly understand them or the intent of the requirements. When assessors are more focused on meeting the requirements rather than on securing the network, problems often follow, including compromises that could have been prevented.

Depending upon the volume of credit card transactions, an organization will need either someone in the company to act as an assessor or will need a qualified security assessor (QSA) to document that the company has met all the requirements and is compliant. When either of these assessors focus on compliance rather than security, the companies can easily be deemed "compliant," yet their networks can be unsecured.



New Web-based platform tool helps to prevent bribery, corruption

HUD Office of General Counsel to team up with Bridgeway for its legal operations

Number of in-house counsel who used litigation financing in a year has more than doubled


With 12 broad requirements and more than 200 line-item requirements, many assessors are tempted either to check off a box confirming that the requirement has been met when it has not or to suggest a company buy a security device to satisfy the requirement. Both of those options become problems. In the first scenario, a company has not met the requirement, leaving it vulnerable to compromises. In the second scenario, a company may end up spending thousands of dollars on a security device without the resources to manage and monitor it. So the device may put the company in a secure state for the moment, but over time without management and full-time monitoring, the device ends up not satisfying the requirement it was intended to meet.

Without understanding network security and the intent of the requirements, assessors often end up insisting a company purchase and deploy complex layers of technology in order to meet the letter of the standard when another control would have sufficed as well or better. A QSA who has deep technical and security knowledge and a thorough understanding of the PCI Requirements, should be able to assess systems and design security controls that are efficient, secure, and applicable to the business. QSAs who don't have such knowledge are more likely to recommend a broad-based solution or control that is less efficient, more expensive and less applicable to the business.

Choosing a QSA

Although many organizations only need to complete the PCI Self Assessment Questionnaire and don't officially need a QSA to complete documentation that states they are compliant, they may hire one anyway to get expert third-party help to ensure their networks are secure. QSAs differ widely in their experience and abilities, so companies need to be selective and ask questions before choosing an assessor. The QSA designation says no more about an assessor's abilities than the initials J.D. or Esq. says about the abilities of an attorney. QSAs may have worked in IT security for a decade or more, but if that work was in a specialized area, such as in firewall administration rather than something broader like network security, it could make it difficult for them to know what to do to secure a network. QSAs who are certified as a CISSP, CISA or CISM only guarantees that they have a certain level of theoretical knowledge, not practical experience in dealing with information security.

Ideally, a QSA should have years of experience working in network security and understanding card data flow so they can make recommendations for areas in which the hiring company is lacking. Additionally, QSAs should run assessments with support or governance from their QSA companies to ensure that the advice and decisions they deliver are solid and optimal for their clients. This helps prevent inexperienced assessors from making recommendations that are costly when other options would have satisfied the requirements just as well or better. Companies looking to hire a QSA should look for one with a wide variety of experience from across several key areas of assessment, including network security, application security, database security and transaction process security.

Your network is like a puzzle. A good QSA can help you put all the pieces together so that they work seamlessly to protect your network and meet the PCI Requirements.

Copyright 2014 Summit Business Media. All Rights Reserved. Provided by SyndiGate Media Inc. ( ).
COPYRIGHT 2014 SyndiGate Media Inc.
No portion of this article can be reproduced without the express written permission from the copyright holder.
Copyright 2014 Gale, Cengage Learning. All rights reserved.

Article Details
Printer friendly Cite/link Email Feedback
Publication:Inside Counsel
Date:Dec 2, 2014
Previous Article:Arbitration vs. jury trials: Does it make a difference?
Next Article:Judge refuses to throw out FTC's in-app purchases suit against Amazon.

Terms of use | Privacy policy | Copyright © 2021 Farlex, Inc. | Feedback | For webmasters |