Friday, July 10, 2009

Verizon/Cybertrust QSA in Jepoardy

Looking at the latest QSA list from PCI (https://www.pcisecuritystandards.org/pdfs/pci_qsa_list.pdf) shows Verizon/Cybertrust to be in a number of possible QSA violations and failure to comply with a number of applicable QSA Validation Requirements. We've all known for sometime that the larger scale breaches (Hanniford, TJX, and others) have occurred under the watch of Verizon/Cybertrust. While I don't think the blame solely should be placed on them..They are still under an obvious review that should have been done a long long time ago from the PCI Counil. But in mentioning that, solely relying off of a compliance standard to secure you is about as effective as getting some magic snake oil. It's still a start, its the most technical compliance standard out there, but is still a compliance standard, not an information security program.

I do think this is a rude awakening for companies that are maintaining QSA's and don't perform quality work and perform the audits to the fullest extent of what the standard requires. I really do hope that companies will start working with their customers instead of rubber stamping because they send junior consultants or lack the expertise in order to complete the entire requirements list.

This should also keep several information security professionals up at night knowing that they might be as compliant as they originally had anticipated.

One thing that has totally upset me with the entire PCI process is once the breach occurs, guess who comes in to investigate? Oh would you be surprised if Verizon/Cybertrust comes back in to see how the breach happens? Does that seem completely crazy to anyone else but me?

2 comments:

Anonymous said...

Hmmm... I thought TrustWave is synonymous with "shoddy el cheapo QSA work." I never realized that they have such powerful competition :-(

Anonymous said...

The PCI Council has started a new QA program on QSAs that is really coming down hard on the "easy graders". From what I understand they want to push out some of these "pay to play" type auditors who tell companies "you pay us this amount, we will whitewash your compliance" and some of the audit types who treat the standard like some Word of God and lack any technical skills. Some of the big names like Trustwave and Verizon are really starting to struggle with PCI since they are so big and don't maintain quality staff. They are also getting some fierce competition from smaller, regional security consultancies who can offer better service and lower costs.