It won’t be your QSA who gets thrown under the data breach bus

In 2013 more than 800 million records were exposed via 600+ data breaches. This year, in a single data breach incident, over 1.2 billion passwords were stolen, an instant 50% increase over last year.

Cardholder data is no different as the number of data breaches involving CHD remains high despite stricter PCI Compliance guidelines being implemented, fanning the flames of debate about whether the PCI DSS is adequate in protecting consumer cardholder data.

When things go south and it comes time to play the blame game, it’s common for fingers to point straight at the breached company’s affiliated QSA, like how many banks attempted to sue Target’s QSA. Heartland’s CEO made public how he felt QSAs had let him and his company down after they got hacked despite achieving PCI DSS compliance.

But as the world discovered when all the banks eventually dropped the lawsuit, in the event of a data breach it’s hard to pin the blame on QSAs. But why are QSAs seemingly bulletproof? You invest significant time and effort following the PCI standards, then pay your QSA a reasonable sum of money to come onsite and validate that you were compliant, giving you the ever sought after Report On Compliance stamp of approval. So shouldn’t they be responsible if you’re subsequently breached?

In this blog post, we’re going to address some of the common misconceptions about the roles QSAs play in helping your company become PCI compliant.

1. Achieving PCI compliance does not mean you’re permanently bulletproof.

Some mistakenly believe that being PCI compliant means their company is fully protected from a data breach. Unfortunately, many companies that suffered data breaches were previously deemed PCI compliant.

Does this mean that PCI compliance is worthless? Hardly. PCI DSS is the first global standard that prescriptively guides us towards securing sensitive data. If you think it’s too broad, we recommend you have a read of ISO270001.

What organizations must understand is that PCI compliance reports and the QSAs who create them have limitations, and companies need to be aware of those limitations so that they can set reasonable expectations for their PCI compliance reviews.

QSAs review cardholder data handling practices in a similar way to how financial auditing firms review financial transactions. In both scenarios, a third-party expert reviews and tests the company’s policies and procedures determine whether they meet industry standards, and issues a report. QSAs simply cannot check every transaction and every document within an organization, nor would a company want to pay for such an exhaustive review. And naturally, QSAs cannot anticipate whether or how a company’s data handling practices may change in the future. Instead, just like financial auditors, QSAs rely on the concept of reasonable assurance.

“QSAs can only look at what has occurred in the past….Your QSA can provide management feedback on the appropriateness of [your] controls, but the QSA is not responsible for ensuring that any recommendations on changes to controls are implemented. Changes to controls and the proper functioning of those controls are the responsibility of an organization’s management—not the QSA or anyone else.” –PCI Guru

2. QSAs are not lawsuit scapegoats.

The common, and perfectly understandable mindset of many CFOs is that once they have paid a PCI QSA for their services, including the deliverance of a PCI Compliance report, they shift liability in the event of a Data Breach. However, this couldn’t be further from the truth; every QSA’s responsibility is simply reviewing the company’s practices for handling sensitive cardholder data. Any flaws in those practices remain the sole responsibility of the organization.

In the rare event that a QSA incorrectly assesses a process as being compliant when the standard would suggest otherwise, handling cardholder data, then he or she may carry some of the blame and may be held partially responsible for a resultant data breach.

One of our Directors, Stephen Cavey, who was on the receiving end of QSA reviews for many years weighs in on this and states, “In the event, a QSA reviews a non-compliant situation and does not report it, then it is reasonable to establish that the QSA is at fault for this oversight resulting in some level of liability. However, if a merchant hides something or adequate sampling by the QSA did not reveal any issues, then the QSA would not be liable in the subsequent event of a data breach.”

The topic of adequate sampling is an interesting one and something we will reserve for a separate post, but to get back on the original topic, it’s in your vested interests to ensure a thorough and correct sample is reviewed by your QSA – an inadequate or over-simplistic sample is not going to do you any favors.

However, in the vast majority of cases, data breaches can be traced to flaws in data handling procedures and/or human error after compliance was achieved. In those cases, responsibility and liability lie squarely with the company that suffered the data breach, regardless of what was stated in the PCI compliance report.

3. A “clean” PCI Compliance Report is not your end goal. Security is.

In the same way that many people study for a Diploma, Bachelor’s Degree, or other certification just to meet employability standards, too many companies view achieving a “clean” PCI Compliance Report as their end goal, mistakenly believing that it will protect them from any and all data breaches. Achieving PCI compliance is an important and necessary goal, but it does not fully provide carte blanche protection.

When executives forget that their primary goal should be protecting cardholder data, they begin to blindly pursue a positive PCI compliance report, at any cost. Companies with this mindset may try to hide weaknesses in their cardholder data practices so that they cannot appear on the QSA’s report. Others may choose to discount the QSA’s assessment and select a different, less thorough QSA who is prepared to sign off on a position that other QSAs wouldn’t approve of. For a short time, the company may be pleased with its “clean” PCI compliance report, but in fact, its systems are left highly vulnerable to a data breach.

QSAs who tacitly agree to issue a positive PCI compliance report without addressing the underlying questions of whether a company is PCI compliant is not doing the company any favors. In fact, they are a liability, and your organization would be well served by avoiding working with such QSAs.

Those with a short-term perspective change their QSA frequently. They may not like the QSAs negative assessment of the company’s infrastructure and may resent the additional work required to address the QSA’s findings. But they lose sight of the fact that identifying and addressing weaknesses in cardholder data handling practices is actually extremely beneficial in the long run.

4. Your QSA won’t take the hit for you in the event of a breach, but they don’t want you to get hit either.

Many companies view QSAs as an enemy, actively looking for flaws in systems and putting them through the arduous process of achieving PCI compliance. If you think about it, QSAs have reasons to be personally invested in ensuring your system is secure; it’s bad for business if word gets out that your client was hit. You must view your QSA for the ally that it is, and work in tandem with it to safeguard your sensitive customer data. After all, they’re working for you!

A responsible company should choose a QSA who is tough, but fair. Companies should actively seek out QSAs who search high and low for every possible weakness (within the boundaries of the QSA review standards) and present suggestions for addressing those weaknesses. Some QSAs may have a reputation for being unreasonable and unrealistic, but most QSAs are exceptionally good at identifying relevant weaknesses and the risk that those weaknesses could be exploited for a data breach.

It’s all on you, so choose wisely.

If a data breach occurs, all that matters is that you were the cause of it. Your brand will be tarnished in the public reports, and your customers will be vulnerable. You will be responsible for any liabilities or fines that are issued, and it will be too late to start pointing the finger at anyone else once the word is out in the public domain.

Fortunately, a good QSA will help you to minimize the risk of a data breach by identifying weaknesses in your cardholder data handling practices so that you can mitigate those risks.

Just as you would not rely solely on an external auditor to check your accounts, the burden of responsibility falls on you and your security team to hold down the fort once the calvary has left. In the event of a data breach you could try passing off the blame to your QSA, but are you confident you’ll succeed where all others have failed?