Are QSA’s Going To Suffer The Same Fate As Arthur Anderson?

The PCI Data Security Standard was created with the implied intention to upgrade the security of credit card data, therefore protecting the credit card holder. But in its place, a process of covering your behind has been created that encompasses everyone from the lowest level merchant to major credit card brands.

The only way to make any database system truly safe is to close it and with that close your doors for business. The challenge is; what is the right balance between security and ease of doing business. Then there is the cost factor, how much will it really cost to have the proper level of security. Realize this cost will ultimately end up with the cardholder, but “it’s for their own good”. The major credit card brands have created a business for companies to perform audits on certain classifications of merchants. The credit card brands created the PCI Security Standards Council, who in turn created the Qualified Security Assessor (QSA). Now what a QSA typically does is perform an audit on a client at a moment in time. Realize that the PCI Security Standards are ever evolving, being relatively new, within a very dynamic environment.

Just like in accounting audits, the auditor will look for certain practices, processes and systems that ensure the client is within compliance. The auditor will also perform tests to ensure the process is working as expected. But with all that there is no way to absolutely guarantee there will not be a breach. Realize throughout this whole process, the QSA is usually gaining additional business by selling and implementing software, processes and procedures. This additional business by no means influences the audit.

And what happens if there is a breach? Besides the forensic part where everybody tries to figure out what happened, other than bad guy hackers get better everyday. What happens is lawsuits, everybody starts pointing fingers at everyone else in order to minimize their liability. Now the QSA is the one who “certified” the system secure. So at the end of the day the QSA, in my opinion, will take the fall. The QSA in many cases is by far the smallest entity out of the bunch and will not have the resources to withstand a prolonged legal battle.

Does this resemble what started as a great business relationship between two of America’s most respected companies, Enron and Arthur Anderson? That resulted in the Sarbanes-Oxley Act, what will this result be?