TSC Trusted Advisors’ Blog

Ponzi Schemes, False Trust, and PCI QSA

In this land of phishing attacks, root kits, and ponzi schemes, it doesn’t surprise me a bit that the PCI QSA program has gotten as much traction as it has. Just so you know, I’m setting the rant bit to “on” here.

As a point of reference, a ponzi scheme is a fraudulent investment con that uses the investments of previous investors to pay returns to new investors. Ponzi schemes entice new investors by promising fantastic returns on investments that other investments cannot guarantee. The perpetrator of a ponzi scheme makes his money by scraping profits from each investor. When a ponzi scheme collapses, it’s usually a big surprise to most of those involved. But ponzi schemes do have their whistle blowers. You just have to listen.

Just ask Bernie Madoff.

For those that aren’t aware, QSA or Qualified Security Assessor, is a rating that the PCI Security Standards Council assigns those organizations and individuals that pay them some money and then take a relatively simple test. It is supposed to indicate a level of competency in the science of security assessments that meets the “rigid” requirements of PCI DSS. And, I’m here to say, it does! Unfortunately, those “rigid” requirements of PCI barely rise to the level of mediocrity in my opinion.

Lets take a step back and examine outcomes. After all, the true test of a solution is how well it works over time, no? Well, if we look back on the major breaches of the past few years we see that virtually all the successful attacks were against networks that were PCI QSA certified! How can this be? Well, there is an answer…

To start with, PCI segregates networks into two parts: the part of the network that sees cardholder data, and the rest of the network. Think of it as splitting your network into the mediocre security part and the rest of the network. Why mediocre? Because security can’t live in a vacuum and that’s what PCI expects to happen. They assume that there are weak trust relationships between the PCI relevant systems and the rest of the network. They don’t take into account how code is being generated, tested, published, and updated. They make assumptions about the rest of the network that connects to the PCI relevant systems that may not be true. They take on faith that the rest of the network is secure. There is a very false sense of trust in a very relevant portion of the problem.

QSAs also don’t take into account the drive by the customer to keep the QSA testable part of the network as small as possible. Why? To keep costs down. QSAs earn their money by testing your network and the more stuff they find the more money they make because you have to get more testing done. I suspect that there are some QSAs out there that try to keep the size of the PCI relevant network small because it helps with the bottom line. If you can charge a customer $35K to test 10 systems that’s a better profit margin then having to test 25 systems. Any way you look at it it’s a partial answer to a question that requires a complete solution.

If you don’t believe me, go back and look at the legal documents that outline your engagement. I bet that there are at least a couple of places that absolve the QSA of responsibility for the outcome of the test based on the “completeness” of the information provided.

Add to that the additional issues posed by security exposures that are caused by problems with processes and procedures and you have an interesting problem.

Mathematically, the inefficiencies in your network are multipliers of each other. For example, if your QSA security assessment only covers 15% of your network and only 5% of your people are trained, that means that 95% of your people are potential exposure points. Since people run and use the network, you can treat them as efficiencies. When you multiply .15*.05 you get .0075, or less then one percent efficient. It’s no wonder that security fails.

And when the system fails and cardholder data is exposed people are surprised!

So why compare QSA audits to ponzi schemes? Because each time someone is convinced that they’re investing in their future by using a QSA, they’re investing their trust in the people that had QSA audits before them and, unfortunately, when they’re breached they’re greatly surprised.

To me, this is a very loud whistle.

So, what’s the solution? Granted, this is my blog so I’m going to talk about why I think our solution is better then those provided by QSAs. What you need is a Cardholder Protection Program (CPP) that is part of an Information Protection Program (IPP) that examines your entire network holistically and in real-time. When there is a change in one, you know that there’s an impact on the other so you can take appropriate action. Granted, that action may be to ignore it, but at least it’s a conscious decision and not one based on false trust like PCI.