OMG, you have to be kidding me? Robert Carr, the CEO of Heartland Payment Systems, famous for what is probably the largest credit card breach in history late last year has just come out in an interview essentially blaming his PCI auditor for the incident. To quote “The audits done by our QSAs (Qualified Security Assessors) were of no value whatsoever. To the extent that they were telling us we were secure beforehand, that we were PCI compliant, was a major problem. The QSAs in our shop didn’t even know this was a common attack vector being used against other companies. We learned that 300 other companies had been attacked by the same malware. I thought, ‘You’ve got to be kidding me.’ That people would know the exact attack vector and not tell major players in the industry is unthinkable to me. I still can’t reconcile that.“
Here’s some news for you Bob, the QSA is not your security team. The PCI-DSS standard is not a security standard. Your QSA is not there to replace the skills and initiative of your own security team. They are not responsible for educating your people about common attack vectors. They are there to check that you meet a card industry standard at a point-in-time. To say otherwise is venal and just shows me that you have failed to take responsibility for the failure that you allowed to happen on your watch.
Security in this industry is everyone’s responsibility but you as the CEO are ultimately liable as you determine where resources are spread within your organization. Throwing your QSA under a bus just makes you even more pathetic in my eyes.
Geof Birchall
