Kicked Out Of “The Club”

It has finally happened.  A Qualified Security Assessor Company (QSAC) has finally had their status revoked by the PCI SSC.  In a little noticed release dated August 4, 2011, the PCI SSC announced through an FAQ that as of August 3, 2011, Chief Security Officers (CSO) of Scottsdale, Arizona is no longer a QSAC.  To add insult to injury, CSO was also a Payment Application Qualified Security Assessor Company (PA-QSAC) as well and that status has also been revoked.  In reviewing CSO’s Web site, all references to merchant and application assessments have been removed which was likely required by the PCI SSC with the revocations.  These revocations are pending any appeal by CSO and only they know if an appeal will be mounted.

The PCI SSC did not explicitly share the reasons why CSO’s statuses were revoked.  But based on what little information is in the FAQ, it seems to imply that CSO was not able to provide documentation that supported their conclusions regarding the assessment opinions in their Reports On Compliance (ROC) and Reports On Validation (ROV) they had issued.  While there is no public way to determine the number of ROCs that CSO has issued, in reviewing the PA-DSS certified applications list from the PCI SSC Web site, CSO had issued around 56 ROVs for payment applications.

What is interesting about this whole situation is that the PCI SSC issued the announcement as an FAQ versus the usual press release.  From the FAQ, we now know something about the revocation process.

  • First and foremost, it seems that the PCI SSC is finally showing its teeth regarding their quality assurance assessment process.  The FAQ states, “CSO’s status as a QSA and PA-QSA was revoked only after careful review of reports and evidence submitted as part of the quality assurance program …”.  The implication here is that CSO was unable to provide sufficient evidence that supported the conclusions of their assessments.  The reason this is important is it seems to indicate that the PCI SSC is now including a review of work papers to determine if QSACs are collecting evidence that supports their conclusions in the Report On Compliance (ROC).
  • The FAQ states, “It accompanies CSO’s inability to demonstrate sufficient improvement through a prior remediation process.”  CSO had already been through the QA process once and had to go through remediation as a result of the prior QA review.  CSO must have gone through the remediation process within the last two years as it was two years ago when the QA process started.  Even after going through remediation, CSO was apparently not able to get through the QA assessment without being placed in remediation again.  What is unclear is whether a QSAC is not allowed to go through remediation twice in a row or if the CSO situation was the outgrowth of larger QA issues that could not be corrected.
  • The FAQ states that ROCs and ROVs issued by CSO and accepted by the card brands and the PCI SSC are still valid, but that any work in process will need to be conducted by a different QSAC or PA-QSAC.  What I find interesting here is that while the PCI SSC QA process found that CSO was not doing their job as a QSAC or PA-QSAC, merchants and others are to accept their previously issued work and results.  That seems a bit too flexible in my opinion.  If CSO’s status as a QSAC and PA-QSAC has been revoked, particularly for being unable to support their conclusions, then why should any organization accept their conclusions on any previous assessments?  I am particularly concerned about any payment applications certified as PA-DSS compliant.
  • One thing implied by the FAQ but not explicitly stated is that all of CSO’s employees that had a QSA designation are no longer QSAs.  As a result, based on my understanding of the QSA rules, they cannot go to another QSAC to retain their QSA status.
  • Finally, CSO has an opportunity to appeal the PCI SSC’s revocation of the QSAC and PA-QSAC status.  However, as of this writing, I have not seen anything in the press that would indicate that an appeal has been requested.

It will be interesting to see if CSO appeals this decision or just accepts the Council’s ruling.


8 Responses to “Kicked Out Of “The Club””

  1. 1 nrs
    July 25, 2013 at 1:09 PM

    Has there been a situation where card brand revoked an organizations ability to processes credit card for payments as part of the penalty?

    • July 26, 2013 at 6:05 AM

      Indirectly. The most famous was CardSystems Solutions which was breached in 2005. After the breach was disclosed, CardSystems was acquired by another processor later that same year. I’m sure there have been a number of similar situations that have not been made public.

  2. September 9, 2011 at 3:33 PM

    I probably should clarify. I don’t think most QSAs are adversarial, it’s more about an organization trying to do as little as possible to meet requirements, with the QSA stuck in the middle of what is a pushing match of the client vs an immovable set of requirements. A sort of shoot the messenger if you will.

    Though, the exception is the mixed skill levels and knowledge/experience of various QSAs.

    I guess ultimately I still just feel like this is all about telling and showing a QSA what he wants, to get passed the assessment. “Yeah, we log.” As the logging system sits in a corner untouched in a year.

  3. August 24, 2011 at 3:57 PM

    In your bullets, #3 and #4 really stick out to me. In #3, I definitely have a mixed feeling. On one hand, I want CSO’s customers to be given a clear message that they need to make sure their QSA is valid enough. But on the other hand, I doubt many (if any!) of their customers have expertise enough to call their QSA out on that level. That would become a huge pushing match (wait, aren’t audits already a huge pushing match?!). In that case, it’s really up to any involved security-knowledgable experts to speak up, I think, or as done, PCI to step up to the plate.

    On #4, that’s a huge deal, and I would feel sorry for anyone involved in CSO that truly knows what they’re doing and are brought down by one or more incompetent people. Who knows, but that also means competent security people really need to make sure they’re in an ethical company. I like that bit of self-assessment, but I also know that makes for a somewhat unfriendly and hostile environment. Well…maybe not hostile, but it’s definitely a “watch-your-back” thing, and that’s just a little bit of bad karma, ya know?

    • August 25, 2011 at 11:12 AM

      PCI assessments should never be an adversarial project, they should be collaborative. By that I mean that a QSA should be not only determining an organization’s level of compliance, but they should also be providing guidance and ideas on how to better comply with the PCI requirements, as necessary. A QSA does need to enforce the PCI requirements, but they should never be a “my way or the highway” sort of approach to the assessment.

      • August 29, 2011 at 11:14 AM

        Well, “should never be a ‘my way or the highway’ approach” is nice, but not always as simple as it sounds. In my experience, the onsite QSA is usally very collaborative as opposed to adversarial. The problems usually start when he/she writes up the report and the QSA’s QA department gets their hands on it. These QA departments are often “my way or the highway” and we have had occasions where fighting with a QA department is more time consuming than the onsite assessment.

      • August 30, 2011 at 5:06 AM

        Yes, QA people can also create an issue but, in our case, it is more of a “how can you justify your conclusion based on the evidence collected” approach.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

Welcome to the PCI Guru blog. The PCI Guru reserves the right to censor comments as they see fit. Sales people beware! This is not a place to push your goods and services.

August 2011

%d bloggers like this: