The rise of the “Defensive PCI Assessment”
September 12th, 2009 by cmark Posted in PCI DSS | No Comments »This past Sunday I was speaking with a neighbor who also happens to be a doctor. As we were discussing the ongoing heated debate over healthcare reform, I asked his position on tort reform. For those not familiar with the issue, there are many who feel that limiting doctors malpractice liability will improve the overall healthcare system by allowing doctors to work without fear of huge malpractice claims and without paying exorbitant insurance rates. My neighbor explained that he knew many doctors that practiced Defensive Medicine. Defensive medicine is a form of medicine that is practiced with the goal of averting the possibility of future malpractice suits. Responses are taken primarily to avoid liability rather than benefiting the patient. Doctors may order tests, procedures, or visits, or avoid high-risk patients or procedures primarily (but not necessarily solely) to reduce their exposure to malpractice liability. Many consider defensive medicine as one of the most undesirable results of the rise of medical litigation.
On Thursday of this week I happened to be speaking to a prospective client who was expressing concern over what she perceived as a change in the PCI DSS assessment process. According to this person, who I will call Ann, they used the same QSA in 2009 as they did in 2008 but their QSA’s position on certain controls and segmentation strategies had fundamentally changed. What was considered “compliant” last year was suddenly no longer “compliant” in 2009. When she inquired as to the change, the response from the QSA was that the increase in liability associated with making a mistake or incorrectly finding a company compliant meant that they had to take a more literal and strict interpretation of the standard. As I was reflecting on this statement it occurred to me that I had heard the same thing from at least 3 other clients or prospects in the last few months. It seems that at least some QSAs are concerned about the new QA process and associated penalties if a company is found to be negligent.
This situation is similar to that we are seeing in the medical industry. While I believe most would agree that implementing a process to ensure quality of the PCI DSS assessment is important and well needed, an unintended consequence of the program is the increase in companies performing Defensive PCI Assessments. Defensive PCI Assessments can be defined as QSAs focusing solely upon the compliance of the company and ignoring larger security or business issues. It is intended to ensure that the QSA’s work is defensible and protects the organization from liability under the new QA rules rather than providing recommendations or suggestions that may be a better solution for the client but when viewed critically may be viewed as “less compliant”. I used to call this practice “chasing compliance at the expense of security”.
As a former QSA and QSA Trainer, I can certainly appreciate the challenges faced by QSAs. PCI DSS related revenue accounts for a huge proportion of many QSA firm’s gross revenue. Losing their ability to conduct PCI DSS assessments would be disastrous to many organizations and would certainly cause many to simply go out of business. It is difficult to blame any QSA for practicing Defensive PCI Assessments when faced with the risk of losing so much.
One area where Defensive PCI Assessments appear rife is when evaluating tokenization type solutions and encrypted swipe solutions. It is difficult to argue that not having practicable data improves security significantly. If the data is not present to be compromised, then security is improved. Unfortunately, while these solutions are often much more secure than traditional transaction processing, they are difficult to evaluate from a PCI perspective. The inevitable result is that QSAs are placed in the position of making a judgement call that could place their organization at great risk if their judgement is deemed incorrect. For this reason, many QSAs opt to simply treat companies using tokenization and encrypted swipe solutions as the same as those with full Cardholder Data.
What is the answer? That is the 64 thousand dollar question. From this writer’s perspective, I think providing QSAs with more latitude to evaluate security solutions as related to compliance solutions would go a long ways. QSAs should be empowered to look for and evaluate ways to evaluate the overall security of a company or solution as opposed to looking solely at compliance. Until this happens, I fear we will continue to see defensive PCI practiced.
![[del.icio.us]](http://images.del.icio.us/static/img/delicious.small.gif){kind=small}
