Tuesday, October 7, 2008

Regulate for Profit – Part 2

Here are a few more random thoughts I would like to add to my previous posting “PCI SSC Show Their True Colors – Regulate for Profit!

PCI SSC’s Justification

Although not posted here, I had some feedback on a couple forums and second hand information from someone that attended the latest PCI Community Meeting in Orlando, Florida. PCI’s justification for the fee is that they want to be self sufficient and independent from the card brands. This is good in theory if you ignore two glaring obstacles:

  1. The card brands make up the entire executive committee

  2. A majority of the General Managers and Working Group Chairpersons (possibly all, some titles are missing) are people that represent the card brands

Independence cannot be achieved until these two obstacles are addressed.

Why List?

Reading some of the latest notifications from Visa, Visa is not requiring applications to be “listed.” Visa’s wording on their mandate notifications is “PA-DSS compliant applications,” with no mention of a listing requirement. I’ve also heard that QSA’s are being taught that they cannot rely on any PABP or PA-DSS list and instead should do their own assessment of applications used by merchants. This means that PCI SSC does not have any faith in the PA-DSS assessments or the list they are maintaining (for $1250 a pop!).

So if the card brands are not requiring any list and PA-DSS has no faith in the assessments on file or their list, what’s the point of the list? Oh yeah, I forgot – PCI SSC’s independence.

Make It Useful

Ok, I’ll pause from my slamming and throw out some ideas to make this list useful.

  1. PCI SSC should have faith in their own program. If there are areas of concern like assessments of varying degrees of quality, then fix the program to have more quality assurance – with all the SDLC requirements in PA-DSS for application vendors to promote some level of QA, why shouldn’t the QSA’s have some of the same checks?

  2. PCI SSC should allow and encourage QSA’s to refer to “the list” to streamline merchant assessments. QSA’s should give all applications a quick peek to make sure the applications are properly configured but they should not have to do a complete assessment of every application from scratch.

  3. The card brands should allow “safe-harbor” for fines in the event of a breach if a listed application was breached and was properly configured.

Parting Shot

PA-DSS list should provide benefit to merchants and various other parties involved. As it stands right now, the PA-DSS listing fee is nothing more than a revenue stream for PCI SSC with no benefit. I think if my “make it useful” suggestions were implimented, then the list becomes useful and the $1250 would not be considered simply a tax or tribute.