By Todd Bell
Global IT Security, Setting Strategy & Building Programs, Rearchitecture Design
It is almost weekly now that another retail giant announces a security breach, and consumers go through the mental exercise of determining when they last used their credit card there. Consumers blame the retailers, retailers blame the hackers—but there is one element that is still lurking in the shadows. The credit card business has a dirty secret that nobody will publicly address. There are a small handful of “low cost leader” companies that provide Qualified Security Assessor (QSA) cardholder data protection services for household names such as Target and Neiman Marcus – places many of us shop every day. These “low cost leader” companies are known for under-bidding credit card security assessments with prices that are far below other higher-quality QSA companies. Many in the industry refer to these companies as “the rubber stampers.” They give merchants the annual piece of paper that states they are PCI Compliant, which not only gives a false sense of security, but also sets the merchant up for a potential breach by muscling out quality QSA companies that may be a little more expensive in the short term, but who may have found the very vulnerabilities that end up costing the company and consumers millions in lost money.
Cyber Security industry experts are realizing the correlation between a merchant that has been certified as compliant by these “rubber stampers” and embarrassing breaches. In a security breach, every key stakeholder feels the pain, except for the one validating the security controls – the QSA company. These companies are never revealed as culpable after a breach – they are never even named as the QSA of record. They don’t have enough “skin in the game” and don’t suffer the same consequences as security teams inside the merchant. High-profile credit card security breaches can often be traced back to one thing: the lack of a proper, custom tailored cyber security program. When PCI Compliance came into existence, it also became the default security framework for merchants. It has been stated by many security professionals “compliance does not equal security.” PCI Compliance does not mean all merchant systems within the company are secure. Further, compliance is a starting point that fits into an overall enterprise security program regardless if the merchant has 10 employees or 10,000. Compliance is the where the minimum standard is set, not where organizations should stop.
An ironic example of this problem dates back to a 2010 AT&T marketing document describing how “Not All QSA’s are Created Equal: What You Should Know Before You Buy.” There are very good QSAs that really want to do a good job for a merchant, but there is a culture in other QSAs of limiting consulting hours and the depth of a credit card security assessment. For example, one QSA assessed the same company twice, stating it was PCI Compliant, yet the same company experienced two credit card security breaches. One could argue that the fault was with the merchant, yet the top QSA Assessors have never had one merchant ever lose a single credit card.
Some of these low cost leaders will “game” the PCI Standard by using legal language from the Report on Compliance (ROC) such as “…this credit card security assessment shows ABC Company was PCI compliant at the point and time of this PCI assessment” as a legal disclaimer that they are not responsible for the PCI compliance of merchant once the audit is completed. The low cost leaders may be winning at price, but not at actually improving credit card security and reducing risk for merchants. For instance, numerous QSA companies are losing bids to the low cost leaders because they sell projects on a time and material basis, while the low cost leaders sell their projects on a fixed price to fit nearly any budget. The fundamental problem with this approach is that when the low cost QSA company burns through the profitable hours, it makes business sense for them to skim through the security vulnerabilities and check the PCI-compliant box. This ensures they don’t lose money on the project and results in a happy customer when they hear they passed. Of course, all this does is leave the door open for a potential security breach. Many other QSA companies lose opportunities to properly secure merchants by conducting proper PCI credit card security assessments because they have to compete against a low-price, fixed-rate provider.
Merchants are just as guilty of “gaming” the PCI Standard by shopping around to get a compliant ROC for the lowest price. They start their procurement process looking for the QSA willing to give a stamp of approval for the lowest cost. In many cases, companies aren’t really looking for quality. A number of QSA assessors have reported seeing merchants that hire a QSA Company only to terminate the company once too many security vulnerabilities were discovered. They would then hire a second QSA Company and hide the previous security vulnerabilities in hopes of getting “rubber stamped” ROC by the second QSA Company without fixing and
addressing the issues previously identified by the first QSA Company.
The project bidding process is very cut-rate and too focused on price. For instance, a high quality QSA company may bid on a project with a new prospective merchant that may require six weeks on-site work at a merchant site and another five weeks to assemble the ROC (usually a 150 to 220 page document). The low cost leaders will submit a bid that may be less than one week on site and spend the next three weeks wrapping up the security reviews over conference calls and submitting a boiler plate ROC. The question in this very common scenarios is why are the bids so different with the numerous QSA Companies when all QSA companies operate by the same rules and regulations of the PCI Standard? The problem is further amplified when merchants sign multi-year contracts using the same QSA assessor year-after-year. These long-term arrangements can desensitize a security assessor and engender overfamiliarity between assessor and assesses.
Low cost leaders often use a combination of boilerplate legal language and low cost staffers to perform the work, not digging deep enough into what is really happening from a security perspective to protect credit card data. This is the equivalent of using a new medical intern to perform open heart surgery. Often times, the merchant feels as if they dodged a bullet because they know they are not PCI compliant and are completely aware that the low cost leader missed many of the security controls by not asking the right questions. They are content because they both gained their “PCI compliance” and more time to fix what they know is already broken – if their intentions are good. The worst-case scenario, however, is the merchant feels that their problems must not be that bad because they passed their assessment and are now PCI Compliant.
Another harmful and rampant practice in the industry includes companies prepping their employees for audits. In this scenario, ahead of a known QSA assessment, the employees are coached to only tell what is asked and not volunteer any more information. They are further coached to not provide any great details about anything and only explain the basics of how a security control works. For the employees, this is an opportunity to show that their leadership team that they are “corporate players” and will do anything to protect the company – even when this protection is from an outside QSA company ostensibly there to improve the company. The goal becomes PCI Compliance – not true security. For quality QSA Companies that choose to properly enforce the PCI standard and are thorough with their assessments, they don’t have merchants experiencing security breaches because they completely adhere to the PCI Standard. There have been numerous instances of a “low cost leader” getting replaced by a higher-quality QSA company that finds many security vulnerabilities. This can be understandably disorienting to a merchant as they were PCI Compliant the year before, making progress much harder for the new QSA, making them look like agitators to the merchant undergoing a PCI security assessment.
The key to the PCI Standard is the layers of security it provides. This was validated by Bob Russo, GM of the PCI Security Standard Council when Bob stated “…these breach incidents underscore complexity of data security issues and why businesses need to develop a multi-layered approach to protecting their customers” in a recent Bank Systems & Technology press release “Creating A Strong Foundation for Security Payment Data With PCI Standards. When one security control is broken by a hacker, another layered security control is in place to stop the hacker advancing to the next stage to steal card holder data. Much like an onion, there are many layers to the PCI Standard and this is the core foundation of how the PCI Standard works, and it protects every company that accepts credit cards around the world. When the facts are reviewed after a major security breach, there is always a lack of required, layered security controls. This was abundantly clear at Target as the damage would not have been as devastating if Target had layered security controls as specified by the PCI Standard. This is where the low cost leaders have failed their merchants – by not properly protecting a merchant’s cardholder data. QSA companies have indemnify clauses in their Master Services Agreements (MSAs) to protect against legal consequences for the poor work they deliver to their clients. This arrangement leaves the low-quality QSA unscathed and able to move to the next willing victim.
The PCI Council does have a quality audit program to ensure consistency across the credit card security assessment industry. The PCI council puts emphasis on how well the ROC is written and it follows a formalized scoring process. While not a perfect process, the PCI Council is making every effort to protect the credibility of the PCI Standard, yet we have the low cost leaders and some merchants that make the PCI Standard appear ineffective. The fact is that the PCI Standard works well and shares many similarities with the ISO27002 International Security Standard. Several years ago, VISA publicly removed from all of its web sites that if any
merchant is found to be PCI Compliant at the time of a security breach, they will not be responsible for the fines of the security breach. According to a past statement on CSO.com from VISA Chief Enterprise Risk Officer, Ellen Richey, “… no compromised entity has yet been found to be in compliance with PCI DSS at the time of the breach.” The PCI Council has issued recent guidance regarding QSA Companies/QSA Assessors offering a “guarantee” for “PCI Compliance” to help stop QSA Companies “gaming” the PCI Standard for financial benefit; however, this practice is still ongoing.
From retailers to e-commerce, merchants are slowly realizing that their PCI compliance stamp is as good as the QSA they hire. Savvy merchants are now aware of who the cheap and easy QSA companies are that will provide PCI compliance assessments with very little scrutiny. These low cost leaders will argue that what they are doing is perfectly in line with the PCI Council’s Standards and Guidelines, but once again, if that were true and they were ensuring layered security approach of the PCI standard, there would be far fewer breaches.
The best way to protect your company is to carefully select a QSA company that has a Security Engineering background. The typical low cost leader tends to employ auditors rather than security engineers, which can lead to well-documented audits with very little technical depth. To properly implement or assess the PCI Standard in any company requires the knowledge of an experienced Security Engineer. Auditors don’t typically have the expertise to adequately assess a complex security control. An Auditor will ask binary questions as the summation of a company’s overall PCI Compliance while a Security Engineer will design and implement the necessary layers of security controls to protect a company to prevent a future security breach. Merchants also need to do a better job at hiring quality QSA companies that fully embrace and properly implement the PCI Standard. This will require a focus on much more than just the lowest price solution.
A call to action:
Bottom line, if the private sector cannot follow the PCI Standard, the US government will eventually intervene by providing regulations and oversight that could increase the cost of PCI compliance.
Special thanks to the anonymous contributors at merchant Banks, Current/Former QSA’s & PFI’s, merchants, QSA Companies, and Credit Card Processors to confirm the accuracy of this white paper.