PCI Compliance: The QSA's Perspective
Over the past year or so, since the Heartland Payment Systems breach, we've heard a lot about the Payment Card Industry Data Security Standard (PCI DSS). What does 'PCI compliant' mean? Can a PCI compliant organization be breached? What's the role of the Qualified Security Assessor (QSA)?

Peter Spier, Senior Risk Management Consultant with Fortrex Technologies, has written a recent guest blog on PCI compliance, and in an exclusive interview offers insight on:

  • The QSA's role;
  • What's most misunderstood about PCI compliance;
  • How organizations can maximize their compliance efforts.

Spier is President of the ISACA Western New York Chapter and a Senior Risk Management Consultant at Fortrex Technologies based in Frederick, Maryland. Peter attained his graduate degree from Syracuse University's School of Information Studies and over the course of 12 years of experience, has earned Certified Information Security Manager (CISM), Certified Information Systems Security Professional (CISSP), Project Management Professional (PMP), Qualified Security Assessor (QSA), Information Technology Infrastructure Library (ITIL) Foundation version 3, and HITRUST CSF Assessor certifications; among other credentials.

TOM FIELD: In terms of PCI, what is the QSA's perspective?

Hi, this is Tom Field, Editorial Director with Information Security Media Group. We are getting the unique perspective on PCI today from Peter Spier, Senior Risk Management Consultant with Fortrex Technologies.

Peter, thanks so much for joining me.

PETER SPIER: Glad to be here, Tom. Thank you for having me.

FIELD: Now you have just written a guest blog for us about this topic, but maybe now you can take just a minute to tell us a little bit about yourself and your background.

SPIER: I would be glad to. I was a graduate of Syracuse University School of Information Studies, and I am President of the ISACA Western New York Chapter. I am, as you mentioned, currently a Senior Risk Management Consultant with Fortrex Technologies and the QSA, so I do quite a bit of living and breathing PCI.

FIELD: Well, that's great. Now as I mentioned up top you have just written a guest blog on the topic; what would you say is the key point you wanted to get across in this piece you wrote?

SPIER: You have asked a very good question. I think that one of the things that is often confused about PCI post-Heartland, Hannaford, and TJX and all this, is that perhaps this is a weakness or deficiency in the PCI DSS standard or in the USA validation practices. I felt that it was an important point to mention that there may be shared responsibility all around, but I don't believe that it is the inherent weakness in the PCI standard itself.

FIELD: Well, you make a good point because particularly since the Heartland case there has been a lot of talk about 'What is PCI compliance, what is the role of the QSA, can I be compliant and still be breached?' Given all of this discussion, what do you find to be most misunderstood by people when they are talking about this?

SPIER: I think that people often forget that the giving a report on client and the onsite assessment itself - it is a point in time, and it is beginning to look at a sample of systems and processes. With this sampling methodology, QSA is intending to utilize the standards and the requirements to interpret compliance. However, it really is the responsibility of the merchant and the service provider to maintain their compliance on all of their systems all of the time throughout the year.

So really when we come back in a subsequent year to do an assessment, there shouldn't really be a large amount of effort to get ready for the assessment; instead that compliance should have been maintained.

FIELD: Now as you know, there has been an awful lot of talk about the QSA's role as well and some criticism in the conversation. What do you find as a QSA is most misunderstood about what you do?

SPIER: I think that it may be something, at least in the press, which is usually interpreted as the QSA being somewhat either a part of the PCI Council or influential over the standards themselves. I like to think of my role as a QSA as in being the advocate for compliance for our service providers and merchants that we are assessing.

I believe that we very much want to see them achieve their compliance, however it needs to be within that baseline standard of the PCI DSS requirements, and certainly they need to be able to exhibit and demonstrate that compliance 100 percent.

As you know with PCI DSS, there is no partial pass; it is either pass or fail. You are either 100 percent, or you are zero. So I do believe that it can be commonly misunderstood that we are going to say that there are things that are good enough, or that certain requirements are less important than others, and I view that as to not be the case.

FIELD: Now, as you know this is a big year for PCI DSS. The Council has taken in some input, and we are likely to see an amended version by year's end. From your perspective, what really needs to happen to enhance both PCI compliance and awareness?

SPIER: I believe that the Council has actually been doing some excellent work in that area, by engaging PriceWaterhouse to help them with their technology examination to looking at some of the different trends that are out there, sort of the up and coming things and areas of concerns, end to end encryption, tokenization, and even virtualization.

They have been trying to establish more of a community among the merchants and the service providers, so that even through the community their shared concerns can be heard, through some of the recent merchant training programs, even if they are not going to perform the assessment themselves internally, to be able to better facilitate communication with the QSA.

All of these things I think are very much helping the people who need to achieve compliance and are actually doing so. However, it seems to me that to be able to maybe broaden the word, unfortunately like many information security driven things, when it hits you in the pocketbook, it grabs the most attention.

We have seen a lot of that coming out of Heartland and all the numbers coming out for settlement. Unfortunately, a lot of the merchant violations don't ever come out, and I think that would be something that you see right now if you go to research Hannaford, you don't see the settlements that they may have made getting the same sort of press. It is just not something that is publicly reported, so with the company and their acquirer and the card brand themselves in those cases, we are fortunate to get a bit of an insight into how that process works, kind of stemming out of the larger things at Heartland and TJX, where we see that occurring from a service provider perspective and how expensive it really is. And even then, we are really not learning much about some of the increased transaction charges that can occur and some of the other things that maybe happen on a smaller incremental basis.

You know we see the walking number, but how exactly we got there I think has some real gravity to it. And as companies start to get a handle on that, perhaps the "Well, it hasn't happened to me yet" may dissipate. I know that I have heard even recently some companies PCI strategies being, "Well, we will wait until the acquirer comes knocking" and I certainly don't recommend that.

FIELD: Well, you have given me a good segue to my final question Peter, which is what advice would you give to organizations now that want to maximize their compliance and get the pass ratings?

SPIER: I think that there are a couple of strategies that companies can do, and some of it depends on their familiarity with the standard and with their familiarity with compliance programs really. So I think without a lot of experience in that area, I encourage companies to do gap analysis or subject matter expert consulting in advance of the compliance effort to help prepare them.

However, you know, if they feel that they are more mature in those areas, they have internal audit programs, they have people who are very familiar with compliance, and perhaps even--you know, I have seen companies who have brought in a former QSA, although sometimes that is not always the best approach, depending on whether they have been through the assurance program or not. But I think that some of the things they can do besides gap analysis and consulting is to work with the QSA to ensure that, pre-assessment, they have taken the time to modularize and to plan their milestone out. It really comes back to project management. You know, in this case it is program--being able to understand how to break it down into smaller and more reasonable, easily managed components and to be able to measure those components for success, both in advance and in preparation and then the onsite itself.

If you can manage that full lifecycle through the compliance audit, I think you will stand a better chance to come out with less homework and more a likely ability to achieve that compliance, and hopefully to maintain your compliance throughout the year as well.

FIELD: Very good, Peter. We have heard an awful lot about QSA; it is good now to hear from one. I appreciate your time and your insight and for writing the guest blog that you did.

SPIER: Well thank you, Tom. I am glad to be a part of it, and I do hope that your readers gain something from it.

FIELD: We have been talking about PCI compliance. We have been talking with Peter Spier with Fortrex Technologies. For Information Security Media Group, I'm Tom Field. Thank you very much.

Around the Network