QSA Liability

There is an article on Digital Transaction News this week that set me off.  So, I felt obligated to give the counterpoint view.  So please pardon my rant.

That article states, “One issue Avivah Litan says has been raised by the RBS WorldPay and Heartland breaches—and others she says that haven’t been publicly disclosed—involves the responsibilities of the so-called qualified security assessors (QSAs) that do PCI assessments for processors and merchants. Assessors typically structure their contracts so that they bear little or no liability if a client is breached, she says. “

As an employee of a public account firm, you bet we limit our liability.  Here is why.

First, I would like to get a hold of the reporter that wrote this article and correct their use of the term “so-called.”  We are not “so-called” QSAs, we ARE QSAs.  We are certified by the PCI SSC and deserve to be referred to as QSAs.  Are there QSAs that are not doing the proper testing for PCI compliance?  Yes, I am sure there are, but you have that problem with any profession, so move on.  Besides, the PCI SSC’s QA program should correct this situation.

Ms. Litan needs to remember that the PCI assessment, for the most part, is an assessment of a specific part of an organization’s control environment at a given point in time.  The exception is for items such as quarterly vulnerability and penetration testing, but even those items are likely to be only four distinct periods.  As a result, there are significant gaps in the testing of controls that no lawyer, accountant or other sane individual would accept as a liability.

Then there is the human factor.  How are QSACs responsible for a client’s employee making an improper change to a firewall or a consultant getting CHD for a financial analysis from the CFO anytime after the assessment is completed?  In order for that to happen, the QSAC would have to have QSAs on site, at all times, monitoring all work relevant to the PCI DSS requirements 24/7.  That is not cost effective and is not going to ever happen.

What a QSAC is responsible for is not properly conducting the testing of the PCI DSS requirements and then reporting a company is PCI DSS compliant when, in fact, the company is not compliant.  That is negligence, and I can tell you that my firm’s contracts do not protect my firm from negligence.

Just had to get this off my chest.


0 Responses to “QSA Liability”

  1. Leave a Comment

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s


If you are posting a comment, be patient, as the comments will not be published until they are approved.

If your organization has a PCI opportunity, is in need of assistance with a PCI issue or if you would like the PCI Guru to speak at your meeting, you can contact the PCI Guru at pciguru AT gmail DOT com.

I do allow vendors to post potential solutions in response to issues that I bring up in posts. However, the PCI Guru does not endorse any specific products, so "Caveat Emptor" - let the buyer beware. Also, if I feel that the response is too "sales-ee", I reserve the right to edit or not even authorize the response.


May 2009
« Apr   Jun »

Enter your email address to subscribe to the PCI Guru blog and receive notifications of new posts by email.

Join 1,981 other followers


%d bloggers like this: