Description
How to Select a Qualified Security
Assessor (“QSA”)
March 23, 2016
Retailers that accept credit cards are typically required by
Authors/Presenters
the payment card brands to show that they are in
compliance with the Payment Card Industry Data Security
Standards or “PCI DSS” at least once a year. How a
retailer is permitted to show compliance depends in part
on whether the retailer has a history of data security
issues (e.g., have they suffered a breach) and the
quantity of credit cards that the retailer transacts each
year. Typically retailers that have either had a data
David A. Zetoony
Partner
Boulder, Colorado
david.zetoony@bryancave.com
security breach, or transact large quantities of credit
cards, are required to retain a Qualified Security
Assessor or “QSA” to conduct an audit and to provide an
independent report showing whether the retailer is in
compliance with the PCI DSS.
Retailers that have not experienced a data breach and transact relatively few cards are often permitted to self-certify their compliance with the PCI DSS. Joshua A. James Associate Washington, DC josh.james@bryancave.com A QSA is a company that has been certified by the PCI Security Standards Council (“PCI SSC”) to validate compliance with the PCI DSS. The independence, Page 1 of 3 .
effectiveness, and consistency of QSAs have recently been called into question. Among other things, the Federal Trade Commission (“FTC”) has initiated an investigation of the QSA-industry.1 By understanding what the FTC is looking at when evaluating QSAs, retailers can perform their own due diligence to try to avoid allegations by the FTC, or others, Jena M. Valdetero Partner Chicago, Illinois jena.valdetero@bryancave.com that a QSA’s examination is insufficient. The FTC’s investigation is focused on the following issues that may impact a QSA’s judgment in terms of a retailer’s PCI DSS compliance: 1.
The percentage of the QSA’s revenue that comes from providing QSA services. 2. How often the QSA determines that retailers are not in compliance with the PCI DSS. 3. How QSAs bid, negotiate, price, and scope the audits that they perform. 4.
The extent to which QSAs rely upon representations made by a retailer’s employees. 5. The extent to which QSAs utilize sampling as part of their assessments. 6. The extent to which QSAs are willing to share “draft” reports with retailers that flag areas of non-compliance, but generate final reports that show full compliance if the retailer remediates areas of concern. 7.
The extent to which QSAs are willing to issue final reports that show compliance based on assurances that a retailer will remedy a deficiency in the future. 8. The rate at which the retailers that a QSA certifies as compliant experience data breaches. 9. Whether QSAs have policies and procedures to prevent potential conflicts of interest. 10.
How QSAs assess whether the risk of a PCI DSS deficiency has been appropriately mitigated by a “compensating control.” The following provides a snapshot of information to consider when evaluating a QSA: Page 2 of 3 . 166 9 The number of companies The number of QSAs that have been ordered to provide certified as QSAs in the information to the FTC concerning their methods for United States.2 conducting assessments.3 3 The number of QSAs that have been implicated in public lawsuits following data security breaches.4 [1] Commission Orders to File Special Reports to Collect Information Regarding Data Security Auditors (file No. P155402). [2] PCI SSC website https://www.pcisecuritystandards.org/assessors_and_solutions/qualified_security_assessors (last viewed March 9, 2016). [3] FTC to Study Credit Card Industry Data Security Auditing, Commission Issues Orders to Nine Companies that Conduct Payment Card Industry Screening (Mar. 7, 2016) available at https://www.ftc.gov/news-events/press-releases/2016/03/ftc-study-credit-card-industry-datasecurity-auditing. [4] QSAs responsible for certifications in the CardSystems, Target, and Heartland breaches appear to have been involved in the resulting litigation as possible defendants. RELATED PRACTICES Antitrust and Competition Data Privacy and Security Team Page 3 of 3 .
Retailers that have not experienced a data breach and transact relatively few cards are often permitted to self-certify their compliance with the PCI DSS. Joshua A. James Associate Washington, DC josh.james@bryancave.com A QSA is a company that has been certified by the PCI Security Standards Council (“PCI SSC”) to validate compliance with the PCI DSS. The independence, Page 1 of 3 .
effectiveness, and consistency of QSAs have recently been called into question. Among other things, the Federal Trade Commission (“FTC”) has initiated an investigation of the QSA-industry.1 By understanding what the FTC is looking at when evaluating QSAs, retailers can perform their own due diligence to try to avoid allegations by the FTC, or others, Jena M. Valdetero Partner Chicago, Illinois jena.valdetero@bryancave.com that a QSA’s examination is insufficient. The FTC’s investigation is focused on the following issues that may impact a QSA’s judgment in terms of a retailer’s PCI DSS compliance: 1.
The percentage of the QSA’s revenue that comes from providing QSA services. 2. How often the QSA determines that retailers are not in compliance with the PCI DSS. 3. How QSAs bid, negotiate, price, and scope the audits that they perform. 4.
The extent to which QSAs rely upon representations made by a retailer’s employees. 5. The extent to which QSAs utilize sampling as part of their assessments. 6. The extent to which QSAs are willing to share “draft” reports with retailers that flag areas of non-compliance, but generate final reports that show full compliance if the retailer remediates areas of concern. 7.
The extent to which QSAs are willing to issue final reports that show compliance based on assurances that a retailer will remedy a deficiency in the future. 8. The rate at which the retailers that a QSA certifies as compliant experience data breaches. 9. Whether QSAs have policies and procedures to prevent potential conflicts of interest. 10.
How QSAs assess whether the risk of a PCI DSS deficiency has been appropriately mitigated by a “compensating control.” The following provides a snapshot of information to consider when evaluating a QSA: Page 2 of 3 . 166 9 The number of companies The number of QSAs that have been ordered to provide certified as QSAs in the information to the FTC concerning their methods for United States.2 conducting assessments.3 3 The number of QSAs that have been implicated in public lawsuits following data security breaches.4 [1] Commission Orders to File Special Reports to Collect Information Regarding Data Security Auditors (file No. P155402). [2] PCI SSC website https://www.pcisecuritystandards.org/assessors_and_solutions/qualified_security_assessors (last viewed March 9, 2016). [3] FTC to Study Credit Card Industry Data Security Auditing, Commission Issues Orders to Nine Companies that Conduct Payment Card Industry Screening (Mar. 7, 2016) available at https://www.ftc.gov/news-events/press-releases/2016/03/ftc-study-credit-card-industry-datasecurity-auditing. [4] QSAs responsible for certifications in the CardSystems, Target, and Heartland breaches appear to have been involved in the resulting litigation as possible defendants. RELATED PRACTICES Antitrust and Competition Data Privacy and Security Team Page 3 of 3 .
