Comments on: MasterCard change for L2 merchants increases the market for QSAs by 2-4x http://chaordicmind.com/blog/2009/06/17/mastercard-change-for-l2-merchants-increases-the-market-for-qsas-by-2-4x/ Mixing childlike wonder with adultlike understanding Thu, 09 Feb 2012 14:50:58 +0000 hourly 1 http://wordpress.org/?v= By: admin http://chaordicmind.com/blog/2009/06/17/mastercard-change-for-l2-merchants-increases-the-market-for-qsas-by-2-4x/comment-page-1/#comment-65 admin Tue, 23 Jun 2009 16:30:13 +0000 http://chaordicmind.com/blog/?p=56#comment-65 Here's the interesting thing. I feel that the MasterCard change, along with other conversations in the industry, are going to push merchants towards adopting end-to-end encryption and other scope reduction measures faster than they would normally. I'll argue that the MasterCard change *could* increase the work for QSAs or it *could* drive people to reduce the amount of data they accept and retain. The PCI Answers blog has a <a href="http://pcianswers.com/2009/06/08/visa-leads-the-way-end-to-end-encryption/" target="_new" rel="nofollow">list of companies that currently offer end-to-end encryption options</a>. Though, I'm not sure if they do so in South Africa yet. ;) Here’s the interesting thing. I feel that the MasterCard change, along with other conversations in the industry, are going to push merchants towards adopting end-to-end encryption and other scope reduction measures faster than they would normally.

I’ll argue that the MasterCard change *could* increase the work for QSAs or it *could* drive people to reduce the amount of data they accept and retain.

The PCI Answers blog has a list of companies that currently offer end-to-end encryption options. Though, I’m not sure if they do so in South Africa yet. ;)

]]> By: Dominic White http://chaordicmind.com/blog/2009/06/17/mastercard-change-for-l2-merchants-increases-the-market-for-qsas-by-2-4x/comment-page-1/#comment-63 Dominic White Tue, 23 Jun 2009 06:58:07 +0000 http://chaordicmind.com/blog/?p=56#comment-63 I agree with what you've said, but it feels like the PCI is pushing the other way, for external QSA's and Internal Audit isn't ideal. If that is the case, and if the Mastercard change will drive more QSA work (I also think MC wants a QSA at some point if you use IA anyway), then they need to address the independence issue, which is my main point. I agree with what you’ve said, but it feels like the PCI is pushing the other way, for external QSA’s and Internal Audit isn’t ideal. If that is the case, and if the Mastercard change will drive more QSA work (I also think MC wants a QSA at some point if you use IA anyway), then they need to address the independence issue, which is my main point.

]]> By: admin http://chaordicmind.com/blog/2009/06/17/mastercard-change-for-l2-merchants-increases-the-market-for-qsas-by-2-4x/comment-page-1/#comment-62 admin Tue, 23 Jun 2009 06:52:14 +0000 http://chaordicmind.com/blog/?p=56#comment-62 I think one of the most forgotten items is that Level 2-4 merchants can validate with the Self-Assessment Questionnaire and Level 1 merchants can request their bank let them self-assess. If you have the skills internally then ask to use them. That being said, I think there are a number of skilled professionals out there that can provide a *huge* benefit in assisting the audit process. I've been involved on PCI DSS audits driven by the Internal Audit team of a company and it was checklist based. That does not happen everywhere, but you really want these internal auditors trained as well. I think one of the most forgotten items is that Level 2-4 merchants can validate with the Self-Assessment Questionnaire and Level 1 merchants can request their bank let them self-assess. If you have the skills internally then ask to use them.

That being said, I think there are a number of skilled professionals out there that can provide a *huge* benefit in assisting the audit process. I’ve been involved on PCI DSS audits driven by the Internal Audit team of a company and it was checklist based. That does not happen everywhere, but you really want these internal auditors trained as well.

]]> By: Dominic White http://chaordicmind.com/blog/2009/06/17/mastercard-change-for-l2-merchants-increases-the-market-for-qsas-by-2-4x/comment-page-1/#comment-60 Dominic White Tue, 23 Jun 2009 06:44:39 +0000 http://chaordicmind.com/blog/?p=56#comment-60 If the QSA sector grows massively, we're going to need to see some audit type regulation being put in place by the PCI and payment brands. I think the fact that a QSA can implement and audit their work right now and that won't influence their attestation is a Enron like problem. Internal audit departments on the other hand are good at dealing with this stuff, and frankly could use some upskilling. I think the PCI should be pushing QSA training for Internal Audit out instead of 'bullying' merchants to hire in external people, or if they are hell bent on using externals, then lower the unlimited liability clause to allow external audit to do it. I think the payment brands are reinventing the wheel. #Disclosure, I work for an auditing house, but not as an auditor. If the QSA sector grows massively, we’re going to need to see some audit type regulation being put in place by the PCI and payment brands. I think the fact that a QSA can implement and audit their work right now and that won’t influence their attestation is a Enron like problem. Internal audit departments on the other hand are good at dealing with this stuff, and frankly could use some upskilling. I think the PCI should be pushing QSA training for Internal Audit out instead of ‘bullying’ merchants to hire in external people, or if they are hell bent on using externals, then lower the unlimited liability clause to allow external audit to do it. I think the payment brands are reinventing the wheel.

#Disclosure, I work for an auditing house, but not as an auditor.

]]>