The increase in data compromises and the promotion of the PCI DSS has created a growing population of self-proclaimed PCI "experts" within the industry. Websites, knowledge bases, training groups, and forums have popped up with alarming speed. A quick query on a major search engine will reveal literally hundreds of PCI DSS experts operating in our industry. It is unfortunate that many of the so-called "experts" are often only superficially familiar with the PCI DSS and many have a less than comprehensive understanding of the Payment Card Industry. Even more curious is the fact that few people will try to confirm what they are being told by these "experts." Rather, they move forward on their advice, without realizing that they may be costing themselves significant amounts of time and money.
While I was a graduate student at Auburn University, I remember taking my trusty Honda Accord to a mechanic when it began to exhibit some troubling symptoms. After 150,000 miles, it was beginning to show some wear. I remember the mechanic explaining to me in great detail how the "flux capacitor" or some other "high tech" device was broken and would need to be replaced. He very earnestly told me, "I'm afraid it's going to cost about $2,500 to repair." I was distraught and as one can imagine, quite frustrated. I did not know what to do. I needed a car but I didn't have the money for the repair. Fortunately, my boyfriend (now my husband) was a pretty handy shade-tree mechanic. When I told him of the mechanic's diagnosis he politely told me, while sprinkled with some colorful metaphors, that the mechanic was certainly mistaken. When Chris came to Auburn the next weekend, he was able to diagnose the problem as fouled points. A quick $8 change of the distributor cap later and my beloved Honda Accord was back on the road. After this experience, I took every opportunity to learn about cars. I had no intention of ever replacing my own fuel injectors (though I have done so) but I did not want to be taken advantage of if I ever had to take my car to another mechanic. The moral of the story is that a few dollars and some education has saved me thousands of dollars over the years.
The same type of experience frequently plays itself out in the payments industry. In conducting training events or consulting engagements with clients, it is not uncommon to hear someone say: "my assessor told me that we must (fill in the blank) to comply with the PCI DSS." Frequently these recommendations are simply inaccurate interpretations of the standard or the intent of particular requirement. Unfortunately, sometimes these misinterpretations are so severe that one can only view them as intentional distortions. While it is possible my own mechanic was simply "mistaken" as to the cause of my car's trouble, the degree to which he misinterpreted the symptoms can only lead on to the conclusion that he was trying to take advantage of an ignorant consumer. Many companies, when speaking with their QSAS, may find themselves in the same position. Often, organizations will accept the QSAs diagnosis and move forward. This simply be because the organization does not know enough to question the findings. I find it interesting that people generally have no problem asking for a second opinion from a doctor when diagnosed with a major illness or when told their car will cost thousands of dollars to repair.
While there are some very good QSAs and independent consultants in the market, the qualification alone does not make one an expert on PCI DSS related issues nor does it imply information security expertise. It is highly recommended that, prior to purchasing technology or implementing controls to address identified compliance issues, organizations conduct their own due diligence. Spending a little time and money double-checking a recommendation will often pay huge dividends.
Going back to my years as a poor graduate student I recalled a time when I had to take my car in for the annual inspection. I pulled my car into the inspection bay and held my breath as I waited for the results. The mechanic came out and informed me that everything had passed...except (you knew this was coming) that one of my front headlights was pointing at the wrong angle. He then informed me that he could fix it right there for $35 or I could take it somewhere else and bring it back. Of course, when I brought it back, I would have to pay for another inspection at a cost of $29.95. As I didn't have an inclinometer in my pocket or some other way of determining the actual angle of the light, I simply paid the $35 and my mechanic singed off on my inspection stating that my car was "compliant".
This story may be familiar to some who have experienced similar events. In the Payment Card Industry, this story is repeated numerous times every single day. A merchant or service provider hires an assessor to evaluate their compliance with the PCI DSS. When they are informed that there are deficiencies, these companies then hire that same assessor to correct the deficiency. This seems counterintuitive. Accounting firms are not allowed to conduct audits on firms for which they keep the books, as this is a clear conflict of interest.
This is not to say that any QSA firm that sells remediation services or products is dubious, merely to encourage companies to undertake due diligence prior to accepting, carte blanche, their judgement and advise in such situations. Companies must be educated on the standard and its intent in order to make informed decisions about how to achieve and maintain compliance.
Education is important in all areas of life. I have friends who are devout in their religious beliefs and as such spend many hours each week studying their scriptures. I am devout in my love of
college football. As such, I spend many fall Saturdays "studying" plays from Auburn University football and their rivals. The point to be taken is that humans recognize the value of education in all areas, whether it is a hobby, a religion, or a business. Being more educated than my adversary makes it more likely that I will win my fantasy football league. In this same vein, organizations that are educated on the PCI DSS are better able to make decisions that support compliance and are certainly better positioned to counter the suggestion of a well-intentioned albeit misinformed consultant. The short answer, is that companies should invest in education related to the PCI DSS.
All things being equal and if given the choice would a parent choose to send their child to an Ivy League school or the local community college? I am confident most would chose the Ivy League School. Why? Quite simply, they typically have a larger percentage of top caliber professors. While some may debate the value, statistically it has been shown that students graduating from top-tier business schools are paid more than their counterparts at lower ranked schools. Understanding this point, it is important that organizations looking for PCI related information and education look for the "Ivy League schools" and not the now seemingly ubiquitous diploma mills that have suddenly appeared to capitalize on a perceived revenue opportunity. Here are some questions you can ask to determine if the program is right:
Do the instructors possess domain expertise? Specifically, how much do they know about the subject (in this case the PCI DSS) and where did they get the knowledge?
Does the company possess educational expertise? Have they actually instructed people on the PCI DSS with quantifiable results or are they Webinar Subject Matter Experts (WESME) only?
Does the company have a potential bias or are your best interests at heart? If I am a car mechanic, I likely do not have much incentive to explain how to repair your car so that you never have to bring it back to me.
Is the person truly an expert? Conducting a single PCI assessment hardly makes one an expert in the industry. Separate the "johnny come lately's" from those that understand the industry, its security needs and have real experience in evaluating, developing and implementing security and compliance programs for the industry.