The PCI council explained on its website that QSA companies (QSACs) are organizations that have been qualified by the council to have their employees assess compliance with the PCI DSS standard for payment card data security.
The council stressed that QSA certification “indicate only that the applicable QSA has successfully met all PCI Security Standards Council requirements to perform PCI data security assessments, and the PCI Security Standards Council does not endorse these security solution providers or their business processes or practices.”
Coburn said that the main issue that he has with PCI DSS is that it tries to do too much. The standard “covers a very broad spectrum of technical and procedural security controls that anyone individual QSA struggles to get his or her head around. It is very difficult to find individuals who are masters in all of the areas in which the standard is concerned”, Coburn told Infosecurity.
PCI DSS is “esoteric” in some areas and quite “broad” in others, Coburn noted. “It is very specific about the way you document firewall rule sets, for example, or the way you apply file integrity monitoring. But on the other hand it also touches on process controls on a very broad and high level, such as you should have an information security policy in place.”
The Dell SecureWorks executive explained that many organizations have been dissatisfied with the QSACs and QSAs they have used to validate PCI DSS compliance. For example, the guidance provided by the QSA is often inconsistent. “If there are two QSAs in a room, they will never agree on the same requirement. This is the kind of feedback we are hearing”, Coburn said.
On its website, PCI notes that it has a “clear-cut program to help all QSAs uphold a strong profile by following a process that ensures their consistency, credibility, competency and ethics.” Those QSAs who fail to meet PCI’s standard in a particular area or areas are placed in a remediation program. The areas where QSAs may fall short include lack of documentation in a series of reports, failure to meet business expectations with a fully operational internal QA program, or a failure to renew appropriate insurance coverage or other requirements addressed within the validation requirements.
Coburn said the council stresses that it takes a pragmatic risk-management approach to card holder data security, but it does not train QSAs on being pragmatic about applying the standards to a particular organization.
Dell SecureWorks is proposing that the PCI council adopt a new “gold standard” for QSA certification. First QSACs should be able to demonstrate that they have capabilities across all areas covered by the PCI DSS: network security, application security, and procedural aspects of DSS, such as information security policy. Second, QSACs should identify their sector experience, so that customers can know which QSACs are appropriate for their industry.
“If you are a retailer that competes with WalMart, you should look for a QSAC with that type of vertical experience….If they don’t have experience in your industry, maybe you shouldn’t hire them because we have seen QSAs apply the standards vigorously and not listen enough to how the business works….Sometimes [QSAs] are agnostic to the fact that businesses need to make money”, Coburn observed.
In addition, Dell SecureWorks is proposing that the council should measure QSAs along practical as well as theoretical lines and should replace the current qualification processes with a much more rigorous screening process carried out in an interview format.
“The development of a gold standard is an opportunity for people in the industry to get involved in the debate, take the debate to the council, and have an open discussion with the council on how we raise the bar” for QSAs, Coburn concluded.