Do QSA’s Understand PCI?

I guess that title should say “Can anyone clarify PCI?” or “Can we get some PCI consistency please?.  I find myself in discussion day after day on topics around PCI.


What is required for web app test?  Is it authenticated? Is it just a scan?  Is it just my external environment?  Is it only my card holder systems?


I know the council is trying to do their best with outlining the standards but there still is a serious lack of consistency across QSA’s and organizations.  I found this so frustrating that I developed the cartoon below to represent my opinion.



Basically Mr. CEO here is not meeting PCI compliance and his QSA’s are all telling him something different.  Even better is the new standards and enforcement that all the QSA’s themselves are trying to understand?  Will any big enterprise be able to make compliance?

Security Breach Resources

Pulling security breach trends for different industries the past few months I came across a few good sources to help anyone that needs specific data.

Two sites I found with an abundance of information were: hosts a chronological list of breaches several years back until present date with a brief description of the breach and the number of records affected. hosts the actual breach notification letters that have been sent out.

For statistics and trends use these resources.


In general it looks like breaches frequency is about the same in 2007 and 2008.  Problems seem to be related to basic items such as laptop theft, data left unencrypted, and your usual intruder attack.

HIPAA and the Stimulus Bill

Is HIPAA Really changing?

Here is a good summary link of the changes.

I think John did a good job outlining the key changes.  There is no point in regurgitating the information he has already covered in detail.  Overall there are changes to penalties, new breach rules, business associate responsibilities, and more.

What I find interesting is that according to his article HHS is now responsible for issuing guidance specifying technologies and methodologies.  To date I haven’t seen anything yet posted on their site, but they have until February 17, 2010 before the Act is in effect.

I believe many government based organizations currently fail these controls miserably.  It will be good to start seeing some accountability.  I just hope they lay out the expectations clearly unlike when PCI was first issued.  I also hope there is some visibility into the ratings of each entity moving forward.

In the meantime here are a few good older links to help entities make sure they are at least in tune with current expectations.