Posted by: David Schneier
Audit, PCI, Regulatory Compliance, SAS 70, Security
I was sitting in on a meeting this week during which a security review was being conducted for a proposed software solution for my client. The product was designed and hosted by a third-party vendor.
At first blush I was impressed with the scope and depth of the review; it was a comprehensive security assessment more than anything else. The questions being asked were the right ones, the information collected and reviewed seemed to substantiate the answers and the people participating in the review were all at once curious and knowledgeable. The sum total of these parts equaled good things.
Until I noticed a comment embedded within one of the vendors’ responses.
In regards to the question “Does the vendor have a recent SAS 70” the response took a sharp left turn and drove straight towards the wrong answer. The vendor ignored the question and instead described how they’re PCI certified. First, that’s not the right answer because PCI is very narrowly focused on a subset of the infrastructure whereas SAS 70, in theory, is much broader when applied to a technology vendor. Second, PCI certified almost always means that a self-assessment questionnaire was completed by the vendor and submitted to their processor for validation. Unless the vendor is Tier 1 (which means they process in excess of six million transactions per year) there’s no external validation of the responses in the questionnaire. So you don’t really know how accurate or reliable the answers are anyway. Third, the vendor they referenced as conducting their quarterly scans was recently placed in remediation status after the PCI police found that they had violated QSA validation requirements. That’s not much of a confidence boost, is it?
In the end I suppose my biggest (and really only) issue with the process was that to the untrained eye the information presented looked great. But I couldn’t get past the fact that they blew right past the SAS 70 question and presented what appeared to those in the room as being a strong answer despite the fact it was the wrong one and fell apart under scrutiny.
Ultimately, I’m hung up on this one wrong answer and my reasons are twofold: Will people confuse PCI as a true security standard and if so, will the majority of the IT community go with the assumption that any framework applied and certified, authorized or approved is as good as the next?
I sure hope not.
Check back early next week because for those of you who dabble in governance I’ve got something really cool to share with you.