In my experience working with hundreds of companies pursing Payment Card Industry Data Security Standard (PCI DSS) compliance, I have recognized a few trends.  Like all spectrums, two extremes exist. On one end of the spectrum are those companies who view the pursuit of PCI DSS compliance as a project that will help improve their information security practices through their efforts.  On the other end of the spectrum are those who simply view the PCI DSS as a mandate they are trying to survive while spending the least amount of money and expending the least amount of effort possible.  I often say these companies are “saving a dime while spending a dollar.”

Consider the high cost of a data breach

The financial impact to a company that has experienced a data breach can be significant.  Often, large breaches cost into the tens and even hundreds of millions of dollars of fines, fees, and other penalties.  When coupled with the inevitable public relations fallout, a data breach can devastate an organization.  In spite of the information available in the public domain, some companies still elect to pursue low cost providers for their PCI DSS compliance needs.  Unfortunately, selecting a low cost provider can cost the company much more in the long run than the few thousand dollars the company saves in their PCI DSS compliance effort.

While a number of factors are certainly considerations in any data breach, anecdotally, one can see the phenomena described above if the major payment card data compromises within the past eight years are closely analyzed.  It certainly appears as if a disproportionate number of those compromises occurred to clients of lower-cost PCI DSS compliance assessors.

It could be that the Qualified Security Advisor (QSA) simply overlooked vulnerabilities due to inexperience, in a push to complete a project on a very compressed timeline, or it could be that the company being assessed did not pursue compliance as a project directed toward achieving greater security. Instead, they may have looked for a “check the box” assessment where they simply went through the motions to get the coveted PCI Compliant status.  Finally, it could be a combination of the above mixed with some bad luck.

Five tough questions to ask your QSA

When choosing a QSA, it is important to ask some difficult questions to understand the experience level, processes, and focus on PCI DSS.  Here are the questions you must ask:

1. Has your company ever been on remediation by the PCI SSC?

2. Has your company ever had a client breached after being assessed by your company?

3. How many PCI DSS assessments has your company conducted?

4. What are the experience levels of your QSAs?

5. Describe the types of clients with which you primarily work.

I consider myself fortunate to work for a company where I can answer every one of these questions with confidence, but regardless of who your provider is it is important to remember that you “get what you pay for” and “if it seems to good too be true, it probably is.”

If you’ve gone through PCI DSS compliance, what questions did you ask of your QSA? After going through the process, do you have any advice to share?