PCI QSA Goodness

In some of my posts, I have been somewhat critical of the PCI-QSAs. My biggest frustration is when you cannot get a clear answer from an assessor on complex scenarios and complex technologies. I have made comments related to ‘not all QSAs are created equal’, ‘the value add that QSAs do not deliver on’ and probably a few others that make QSAs and their pool of certified assessors grit their teeth and think negative things of me.

From the QSA perspective, I can appreciate the frustrations they have in getting adequate information from a merchant. The way I see it, that frustration is part of the job they signed up for. Maybe it is a Marine thing – but I have high expectations of professionals that are the subject matter experts of a beast like PCI-DSS. I want to deal with QSAs that actually know technology, understand security controls, are able to contextualize a security control as applied to a technology, and are willing to tell you that you are either right or wrong – not some of this wishy-washy, not willing to take a side approach that leaves as much uncertainty about a scenario then when you first started seeking feedback.

I recently had an opportunity to collaborate with a QSA that really impressed me. The company is called Payment Software Company (PSC); based out of San Jose, California. PSC is a boutique firm that specializes in the payment technology niche.

The folks at PSC know the “payment card industry” and have been a part of it long before PCI-DSS became what it is today; I would even say that is part of their value proposition. From my perspective this is a powerful differentiation between QSAs that have assessors that only know PCI-DSS and are jumping on the PCI-DSS make a quick buck band wagon and not providing as much value.

Another observation I would make about PSC is that they really understand how technology and security work together and what it means from a PCI-DSS perspective. The *leaders* of the company know technology and security at a very granular level; to an extent most reasonable folks would not anticipate. The reason this is important is because it helps with understanding the intent of some of the PCI-DSS requirements as well leveraging compensating controls when there may be a gap.

For fear of sounding repetitive, the PCI Security Standards Council encourages merchants to choose their QSA wisely. I have only worked with a handful of assessors from various QSAs, some good and some not so good. The PSC team easily stands out from all the others – an example of PCI QSA goodness.

I really hope I cross paths with the PSC  team again – sooner rather then later!

Advertisements

3 Responses to PCI QSA Goodness

  1. Rafal says:

    Wow.

    @Chris…
    — that’s either the most ringing endorsement ever, or a PSA (or maybe a paid advertisement). You’re spot-on with the QSA comments, and I’ve actually seen companies choose the *least competent* ones possible to get away with as much as possible… which sounds right, doesn’t it? To find some group you’re comfortable with is good… to know they’re doing a great job is better – to have the complete trust you have in PSC… that’s unheard of.

  2. Chris Hayes says:

    @Rafal – Thanks for the comment. I expected there would be a few that question the motives of the post – I am just giving a plug to PSC. It’s nice to give props once in awhile. If you inferred that I have complete trust in them – that is wrong – trust is earned and validated over time. But from what little interaction I have had with them I have a high level of confidence in their abilities.

  3. Phil Agcaoili says:

    Wow, I completely agree with this post.

    Where to begin with this post Chris? I’ll paraphrase the gems that resonate with me:

    “My biggest frustration is when you cannot get a clear answer from an assessor on complex scenarios and complex technologies…

    …QSAs that actually know technology, understand security controls, are able to contextualize a security control as applied to a technology, and are willing to tell you that you are either right or wrong – not some of this wishy-washy, not willing to take a side approach that leaves as much uncertainty about a scenario then when you first started seeking feedback.

    …know technology and security at a very granular level; to an extent most reasonable folks would not anticipate. The reason this is important is because it helps with understanding the intent of some of the PCI-DSS requirements as well leveraging compensating controls when there may be a gap.”

    We’ve cycled through this experience as well. Being able to cut through the ambiguity and clearly address the heart of the matter has eased our approach significantly when dealing with the so-called “score keepers” in our environment.

    It’s interesting how simple philosophies, even discussed back in the early 90’s, like network segmentation (or the politically correct term “zoning”) has been so difficult to achieve by many.

%d bloggers like this: