PCI, QSAs, Hackers, and Slackers: Will the Real Enemy Please Stand Up?

A very heated reaction has followed the interview I conducted yesterday with Robert Carr, CEO of Heartland Payment Systems. One reader even said the resulting Q&A made his “blood boil.”

Why the outrage? Because Carr did something a lot of people find unacceptable. He threw someone else under the proverbial bus for his company’s failure to keep customer credit and debit card numbers out of evil hands. Specifically, he thrust an angry finger at the QSAs who came in to inspect the security controls Heartland had in place to meet the requirements of PCI security.

In the article, [Heartland CEO on Data Breach: QSAs Let Us Down] Carr said, “The audits done by our QSAs (Qualified Security Assessors) were of no value whatsoever. To the extent that they were telling us we were secure beforehand, that we were PCI compliant, was a major problem. The QSAs in our shop didn’t even know this was a common attack vector being used against other companies. We learned that 300 other companies had been attacked by the same malware. I thought, ‘You’ve got to be kidding me.’ That people would know the exact attack vector and not tell major players in the industry is unthinkable to me. I still can’t reconcile that.”

That one comment brought down the house, and not in a favorable way.

“I just read Bill Brenner’s interview with Heartland Payment Systems’ CEO Bob Carr and truthfully, my blood is boiling,” Mike Rothman, SVP of strategy at eIQnetworks and chief blogger at Security Incite wrote in a counterpoint piece CSOonline ran today. “Basically, he’s throwing his QSA under the bus for the massive data breach that happened under his watch. Basically, because the QSA didn’t find anything, therefore he should be off the hook. I say that’s a load of crap.”

Since the Q&A’s publication, my Twitter stream has been gushing with likeminded comments. Here are a few of my favorites, with the identities protected:

• “So all I have to do is QSA-shop and then throw them under the bus later in an interview? That’s awesome!”
• “QSA output is only as good as the information/honesty, integrity of the client!”
• “Let’s see, a captain try blaming the USCG for a faulty inspection after a maritime mishap. Would quickly be an EX-captain. #PCI #HPS #BS”

I agree with the notion that too much blame has been dumped on the QSA and that in most cases a security audit is only as good as the honesty of the client. Clearly, Heartland’s security weaknesses were extensive and the responsibility must ultimately rest with everyone up and down the Heartland chain of command.

But I’ve interviewed enough IT security practitioners over the years to know that it’s not always so simple for them to find every weakness and seal every hole. Security standards like PCI DSS were meant to help companies find and address such weaknesses and, in doing so, protect customers from the nightmare of identity and credit fraud. But the standards and regulations themselves are imperfect, open to too much interpretation and expensive for many companies to heed.

That’s where a good QSA can make a difference. But just as there are good politicians and bad politicians, good restaurants and bad restaurants, good cops and bad cops, there are good QSAs and bad QSAs. I’ve talked to several IT security practitioners who were trustworthy and committed to their craft who recounted nothing but misery in their experience with auditors.

I’ve also interviewed many a practitioner who had nothing but good things to say about their assessors. Some have even credited their QSAs with helping them find problems they never would have found on their own. For a look at both kinds of experiences, read “A Tale of two PCI Security Audits.”

Did Heartland really have as bad an experience with QSAs as Carr suggests? For those who weren’t on the inside to witness the audits up close, it’s impossible to say.

What I am certain of is this: There will never be a shortage of opinions on how best to approach security and who to blame when the shield breaks. The best thing a site like CSOonline can do is present the full spectrum of views — one Q&A, podcast and article at a time — to help security professionals find a solid, successful middle road.

To that end, I’m grateful to everyone who has contributed to the debate. Keep it coming.