There is an article on Digital Transaction News this week that set me off. So, I felt obligated to give the counterpoint view. So please pardon my rant.
That article states, “One issue Avivah Litan says has been raised by the RBS WorldPay and Heartland breaches—and others she says that haven’t been publicly disclosed—involves the responsibilities of the so-called qualified security assessors (QSAs) that do PCI assessments for processors and merchants. Assessors typically structure their contracts so that they bear little or no liability if a client is breached, she says. “
As an employee of a public account firm, you bet we limit our liability. Here is why.
First, I would like to get a hold of the reporter that wrote this article and correct their use of the term “so-called.” We are not “so-called” QSAs, we ARE QSAs. We are certified by the PCI SSC and deserve to be referred to as QSAs. Are there QSAs that are not doing the proper testing for PCI compliance? Yes, I am sure there are, but you have that problem with any profession, so move on. Besides, the PCI SSC’s QA program should correct this situation.
Ms. Litan needs to remember that the PCI assessment, for the most part, is an assessment of a specific part of an organization’s control environment at a given point in time. The exception is for items such as quarterly vulnerability and penetration testing, but even those items are likely to be only four distinct periods. As a result, there are significant gaps in the testing of controls that no lawyer, accountant or other sane individual would accept as a liability.
Then there is the human factor. How are QSACs responsible for a client’s employee making an improper change to a firewall or a consultant getting CHD for a financial analysis from the CFO anytime after the assessment is completed? In order for that to happen, the QSAC would have to have QSAs on site, at all times, monitoring all work relevant to the PCI DSS requirements 24/7. That is not cost effective and is not going to ever happen.
What a QSAC is responsible for is not properly conducting the testing of the PCI DSS requirements and then reporting a company is PCI DSS compliant when, in fact, the company is not compliant. That is negligence, and I can tell you that my firm’s contracts do not protect my firm from negligence.
Just had to get this off my chest.