Avivah Litan

A member of the Gartner Blog Network

Avivah Litan
VP Distinguished Analyst
12 years at Gartner
30 years IT industry

Avivah Litan is a Vice President and Distinguished Analyst in Gartner Research. Her area of expertise includes financial fraud, authentication, access management, identity proofing, identity theft, fraud detection and prevention applications…Read Full Bio

Coverage Areas:

Class Action Suit against Target Assessor is a wake up call for PCI

by Avivah Litan  |  March 26, 2014  |  15 Comments

Two U.S. banks are suing Target’s Qualified Security Assessor, Trustwave, for damages incurred during the holiday season breach at Target, accusing the company of failing to identity security issues. The suit also claims that Trustwave’s round the clock monitoring services for Target failed to detect the intrusion into Target’s network for a full three weeks. See computerworld.com

Trustwave was just let off the hook from a similar class action suit filed by a former state senator against the South Carolina Department of Revenue, Trustwave and other parties for a database breach at the revenue department which was using Trustwave to monitor its systems. See postandcourier.com for more information.

Many headline breaches have occurred at companies certified as PCI compliant, but this is the first time that the fingers are pointing to the assessor. Gartner has long argued that PCI qualified security assessors like Trustwave should not be allowed to sell remediation and ongoing security services as Trustwave did for Target, according to the lawsuit. This has the effect of potentially destroying the integrity and independence of the assessment process.

Indeed as we wrote in a November 20, 2008 research note titled “PCI Quality Assurance Program Does Not Go Far Enough” – “The most significant enterprise complaint about PCI compliance practices is that many assessors also offer products and services that can be used to meet DSS requirements and ensure compliance to the audit. The PCI takes the same self-regulating approach to this issue that is widely regarded as having failed in the financial auditing industry and having led to the separation of consulting and accounting audit services. Gartner believes that the only truly effective approach is for the PCI to prohibit QSAs from performing remediation services for enterprises they are assessing.”

Nothing has changed on this front since 2008. In fact the situation has been exacerbated. It’s extremely difficult to find independent assessors who are not selling security services. (In fact I only know of two among the hundreds out there– I would appreciate referrals if you know of more). And the QSAs keep adding to the litany of security services that they offer.

Points to consider:

a) PCI compliance has become a big money making enterprise for the QSAs selling remediation and security services and their customers have been lulled into a false sense of security – at least in the C-level suite.

b) PCI assessor contracts generally state that the assessors have no liability if their customers are breached. But shouldn’t they be responsible for their assessments, at least for that point in time?

c) The PCI Council’s typical response to a PCI compliant entity that has been breached has been that the entity may have been compliant at the time of the ROC (report of compliance) but since became non-compliant after the report was filed. Therefore you can’t blame the assessor.

1. This argument loses validity when the assessor provides continual security monitoring services after the PCI audit.

2. Further, when the assessors offer security services, they are auditing themselves. You don’t have to be a security specialist to see that is a conflict of interest!

So what exactly is the point of PCI compliance? Sure no one can argue with good solid security standards and a lot of smart people have put some good thoughts into the PCI standard.

Personally, I think the standard is very good and thorough. It’s the enforcement process I have issues with. It’s a process rife with conflict of interests between assessors and payment processors, assessors with themselves, and even assessors with at least one card brand.

Unfortunately, I imagine that this particular lawsuit will be settled out of court, with all the documents sealed from public view. The last thing the PCI industry wants to do is have all these conflicts aired and scrutinized in court.

But maybe – and this is highly doubtful– the PCI machine will take its queue from the financial services auditing industry and voluntarily end the conflict of interests. Just as the big accounting firms had to split their auditing and consulting practices, so should the PCI assessment firms split their auditing and security services.

If nothing else changes, at least companies who have to comply with PCI will likely spend more time looking for independent security assessors. That’s just basic common sense.

15 Comments »

Category: Uncategorized     Tags:

15 responses so far ↓

  • 1 Class Action Suit against Target Assessor is a wake up call for PCI | All that All   March 26, 2014 at 5:46 pm

    [...] By Avivah Litan [...]

  • 2 Class Action Suit against Target Assessor is a wake up call for PCI : 6config: Le blog   March 26, 2014 at 6:12 pm

    [...] By Avivah Litan [...]

  • 3 Class Action Suit against Target Assessor is a wake up call for PCI | Euler Global Consulting   March 26, 2014 at 6:39 pm

    [...] By Avivah Litan [...]

  • 4 Rich Flowers   March 27, 2014 at 9:31 am

    Coalfire does not sell security remediation services. We’ve just switched to CF for assessments but had to go elsewhere for certain services (I.e. log reviews, Awareness Training ) as our previous provider had been including those.

  • 5 Rick Baldree   March 27, 2014 at 10:40 am

    PSC does not sell security services except for Forensics and pen testing.

  • 6 Shane Merem   March 27, 2014 at 10:52 am

    I agree. I am a QSA. I know it’s a big racket. The thing is the Card Companies run the PCI Council.

    Now they make millions of dollars certifying QSA’s and QSA companies and at the same time remove their own risk to any credit card fraud.

    So they fine companies and charge people to become auditors. And state clearly that any fraud is the merchants problem.

    It’s like legal extortion. If you don’t get audited from our paid auditors you will be fined. If there is fraud and you violate any part of the dss you will be responsible for the fraud. Etc.

    Most profit for Visa MC Amex Discover and JCB.

    it costs tens of thousands of dollars to be come a QSA company.

    The fact a company does a poor job or promotes their agenda is just another issue all together. We are told you must quote a product from another company as well. Nobody every does and this isn’t enforced.

    Oh and a QSA can hardly get a reply back from the council if you actually need advice. Not good.

  • 7 Quackledork   March 27, 2014 at 11:06 am

    Anitian (the QSA my firm uses) wrote about this extensively. Their perspective is that the whole PCI industry is stuffed with “checkbox auditors” who will pass anybody for the right price. They are really critical of places who promote “compliance as service” as if PCI compliance is merely some form you fill out on a webpage.

    Its good stuff: http://blog.anitian.com/the-failure-of-the-pci-dss/

  • 8 Avivah Litan   March 27, 2014 at 11:23 am

    Thanks, – Coalfire and PSC are the only two I know that don’t sell services. Glad to hear their names come up in the comments.

  • 9 Avivah Litan   March 27, 2014 at 11:32 am

    Great point Shane on how much QSAs have to pay PCI and the card brands to be certified and other great points as well. Appreciate you sharing that.

    My understanding is that it costs $15K to register each assessor (individual) with PCI. Pretty stiff fee don’t you think? What does the registration process look like? Does PCI come around and spend $15,000 worth of time evaluating each assessor?

  • 10 RC   March 27, 2014 at 12:10 pm

    Lest the comments section here become an advertisement for two firms, there are 330 QSA companies listed on the PCI SSC website.

    There are plenty that do not, would not or could not sell a managed monitoring service to a client that is also using their assessment services.

  • 11 Avivah Litan   March 27, 2014 at 12:36 pm

    Thanks RC – do you have any specific names? I sincerely would like to have them

  • 12 Matt   March 27, 2014 at 2:09 pm

    I see no reason why you can’t be both a QSA and provide remediation services. But either a voluntary internal policy of the QSA or something mandated by the PCI Council should prohibit the same company from providing both assessment services and remediation services to the same client. Although honestly, as a professional, I would take it upon myself not to contract with the same provider for both of those PCI services.

    QSA service is a relatively small market. A business offering both QSA and remediation would have a broader range of offerings to generate revenue. While it may not be true in actual practice, ideally nobody should know better than a QSA how to resolve shortcomings. I can see a definite benefit and good case for a QSA vendor to have both lines of business.

  • 13 Chris Anderson   March 27, 2014 at 3:14 pm

    Until February, 2013, I was a partner at Grant Thornto LLP (Canada) and in 2008 got into the PCI DSS asessment and audit game. As an audit firm, we played by the rules that Avihah mentions- so we either would do assessment work and tell the client what gaps needed fixing, or we would do gap closure, but not both. I am sure GT continues this practice.
    Given the concerns about independence, and checklist punching auditors, it is time for PCI SSC, the card brands, and regulators to take a good hard look at the quality of the audit work being done, change the assessments from long checklists to control objective and risk based audits. This could be based on ‘Service Organisation Controls’ audit standards from the audit world. THis may sound exclusionary, but as Avihah noted, the audit firms got into trouble with independence (WorldCom, Enron) resulting in real consequences (Andersen has gone, SOX, etc). Maybe it is time for some real consequences!

  • 14 Quackledork   March 27, 2014 at 3:42 pm

    I am going to downvote Coalfire as an auditor. We had them at my previous employer and they were terrible. At my current job we considered them but chose Anitian because they were significantly more technically skilled. We liked Fishnet too, but they were more expensive.
    I disagree with the whole “can’t sell remediation services” idea. As long as the QSA has separation between the people doing the integration and the audit work, there are a lot of benefits. Audit only places often have no technical skill among their audit staff. In one of our past audits the auditor completely ignored the fact that we had no segmentation at all.

  • 15 RC   March 28, 2014 at 11:57 am

    @Avivah – in order to remain impartial, I’m going to avoid naming any specific firms.

    In these comments as well as many similar articles discussing the separation between remediation and audit, there’s no definition for remediation. Do we mean that auditing and consulting should be separated, or auditing and engineering, or auditing and managed services? My employer sells assessment services, as well as advisory, testing, scanning, etc. However, the teams performing these are separate – a QSA could perform advisory functions but would never be involved in any hands-on testing or engineering activities, and certainly not a managed service.

    My employer also ensures that all auditors have a technical background. It is impossible to conduct an effective audit without a deep understanding of the various technologies one may encounter in the client’s environment. Pushing PCI into the realm of SSAE16 / SOX auditors would likely dilute the technical expertise already sorely lacking from most auditors. Requiring that anybody performing a PCI audit may ONLY perform the audit is likely to do the same, as there is then no commercial advantage to hiring QSAs who can also advise on a network or application redesign.

    To reference the comment further above re: qualification of auditors, this is one of PCI’s weakest points. A QSA is required to (barely) demonstrate experience via CV, then attend a 2-day training course with a multiple choice exam which is far from challenging. A more comprehensive evaluation of auditors will drive up the skillset required, which will drive up the salary, which in turn will drive up the cost of services to customers. That would seriously harm some of our competitors going in with the cheapest bid to do the checkbox PCI assessment.

    Some of the companies named in these comments are exactly those, and I have won several clients simply by turning up and not being incompetent – I have witnessed several extremely negligent reports issued by predecessors, and clients are all too happy to pay a premium after experiencing the low end of the market.

    At least two of the companies in the comments are very credible firms who I have no issue with.