What is the difference between QSAs?
April 12th, 2007 by datasecurity Posted in PCI SSC, QSA
(Please also read: Meet your auditor, Part 1 and Meet your auditor, Part 2)
I read comments like this many times where one QSA says the others are not doing as good a job. There is a quote from an article stating:
But merchants and security auditors criticize PCI DSS for constantly changing its standards and for its ambiguity to unique technology environments. For example, a security lapse flagged by one auditor may not be considered an issue by another.
I don’t believe that any standard can guarantee that all assessors will always interpret the standard and map it exactly the same way to every client environment. This problem of differences in interpretation vary much more for HIPAA and GLBA than they do for PCI, but they go unnoticed because these other compliance requirements do not have as structured an audit program.
The PCI SSC requires that all qualified security assessors (QSA) attend a training class and pass an exam. This means that the assessors have met some minimum level of education and understanding of the PCI DSS. Again, no other compliance program offers such a structured education platform.
I’ve heard the argument that a company may choose one QSA over another because one is easier on the audit. But these variations exist not just between companies but between employees within a company also. You know that even if you hire a Big 4 CPA company you might get someone straight out of college to whom you are their first client ever. You just never know.
I also don’t like this argument because if one QSA company is stricter than another they will most likely better understand the standard (as a whole, and the concepts of compensating controls) thus making it easier for a company to pass the audit. These variances are both a positive and a negative.
Now, if a QSA is concerned that they lost a job because the time or cost they quoted on an RFP, this is just ridiculous. It’s well known that companies may sell the audit at a loss in hopes of getting hired to perform the highly lucrative implementation and remediation services. You cannot simply compare these things against each other.
![[del.icio.us]](http://images.del.icio.us/static/img/delicious.small.gif){kind=small}
4 Responses to “What is the difference between QSAs?”
By Drazen Drazic on Apr 15, 2007
The initial story you link is mine. Thanks for reading the blog. I just stumbled upon this site and did enjoy reading your article.
The gist of the blog should be read as a gripe against blatant incompetency when performing PCI reviews by some companies…activity that may jeopardise the objectives of the PCI standards. It’s not sour grapes in losing out on a couple of pieces of business. It happens to everyone. We’ve just seen too many bad jobs that moves us to make such comments. The rest of my blog will hopefully demonstrate where I am coming from from a security community perspective.
There’s a difference between interpretation of a point in a standard (PCI is like that) and a standout bad job where the QSA just does not understand what a particular standard means.
Re: the training and exam. Most non-security people would pass the exam. Trust me.
By John on Apr 18, 2007
I don’t believe that any standard can guarantee that all assessors will always interpret the standard and map it exactly the same way to every client environment.
I’d like to comment on that one.
I am an auditor and I have seen a Tier 2 client’s ancient Redhat 3.1 web server hosts accepting credit cards.
Redhat 3.1 of course has been unsupported for SEVERAL years now. Yet, along comes a big 4 consulting company (who are QSA’s of course) and grants them the PCI compliant tick of approval !!!
I dont think such issues have any room for interpretation amongst different assessors. More than likely their web servers have been 0wned by hackers years and years ago and yet they are certified PCI compliant !
By Pete on May 21, 2007
John,
not sure that was a Big 4 QSA - there are none, except for DT and only in Canada.
By Drazen Drazic on Jul 20, 2007
There is little presence now of Big 4 in Asia Pacific but there was! Most have now pulled out….my opinion….not enough expertise to cover the spectrum of what they need to audit. John was right but I won’t comment on his thoughts. At a recent PCI certification, Deloitte was still there. AND, we still hear stories of previous Big 4 activity at clients…gone but not forgotten! Don’t kid yourself they did well!