||MISUNDERSTANDING THE ROLE OF A QSA
Senior management, including CEOs, should know by now that passing PCI DSS compliance does not mean your data is secure. It certainly has been made obvious with the notorious breaches of Heartland Payment Systems, Forever21, Best Western, Hannaford, and Network Solutions. All were said to be compliant by a QSA, but at what point?
The roll of a QSA is to verify and validate compliance within the 12 core areas of the PCI standard. One must realize, though, that the assessment is based on a point in time. So if the QSA gives you a pass, it is based on the acknowledgement that technical controls within the cardholder data environment were being met at the time of audit.
Many executives misunderstand the limitations of a PCI audit and believe a QSA will identify all their exposures, and be responsible for their security and any breaches that might occur. This simply is not the case. It is not a QSA’s role to provide a detailed security or risk assessment of your entire business network along with a remediation list of vulnerabilities and risks. That type of security due diligence falls to the company responsible for meeting compliance and securing its transactional data. Again, if you store, transmit, and process cardholder data, it is your responsibility to ensure the data is protected, not the QSA. A complete security program should be managed in-house or by a third party security consultant, such as NCX.
The point is that true compliance will follow good security practices and go far beyond a checkmark. Because PCI DSS is considered the basic or lowest common denominator of achieving security, it is wildly naive to think it is an end-all to safe data. In fact, it is only the beginning.
Your QSA can certainly provide advice and guidance if they see a discrepancy while performing your audit, but they have no control over your ongoing security program and cannot ensure your business systems will not change. Security is an ongoing process and every aspect of risk should be assessed to ensure all risk areas are identified and remediated.