PCI and Assessment Consistency
As many organizations that have hired QSAs recently have seen, the Report on Compliance (ROC) has changed quite dramatically for v1.2 of the PCI DSS standard from previous versions. Although previous versions of the DSS required that a QSA address all the controls and properly document them, in fact many ROCs failed to provide adequate documentation that could be upheld in court. In general, as many QSAs have seen, the quality of work being delivered has varied widely. The QA process and scoring matrix released by the PCI SSC for v1.2 even the playing field for all QSA firms and provide excellent guidance on documentation requirements. Some QSA firms were severely cutting their fees and providing sub-standard work. For example, two days onsite for an audit, in almost all circumstances, just do not give adequate time to understand and assess a complex environment. As a customer looking for a QSA firm, don’t be lured by price alone. Obviously, price is a factor, and the market is especially competitive in today’s economy. Ask the QSA firm you are looking at for sample reports. There should be fully documented answers that provide descriptive, stand-alone responses. Inquire about the skill sets of the QSAs that will be conducting the work; ensure that they have experience with your industry. Consider the talent of the QSA firm; remember that your business reputation is potentially at stake. With the amount and severity of breaches today, it is up to customers to ensure that they use a quality QSA to assess their environment. Unfortunately, many organizations just want to “pass”; and if they do, they think they are good for the year. That’s short-sighted. PCI compliance is a state-in-time assessment, but an organization must maintain compliance at all times. Good QSAs will establish ongoing relationships and offer assistance in maintaining compliance over time. We, as QSAs, are now being audited, and the PCI SSC QA team will be reviewing all of the QSA firms out there. This is a step in the right direction to ensure consistency among QSA firms and their associated deliverables. This is beneficial for the customer too, as the quality of work is improving and the customer can start comparing apples to apples.
Explore More Blog Posts
I’m Just Asking Questions: Social Engineering as a Reporter
Dive into this real-world social engineering assessment where a fake anonymous tip and an adversary-in-the-middle framework tested the limits of an organization's security policies.
Beyond the Hype: What Regulated Industries Need to Know Before Trusting AI Security Tooling
AI security tools can build an attack, but enterprise security teams in regulated industries need consistency, auditability, and predictable costs before they can trust one. Learn why the surrounding infrastructure is where most AI security vendors are still falling short.
Splunk Enterprise Unauthenticated Arbitrary File Operations/RCE (CVE-2026-20253): Overview and Takeaways
Splunk disclosed CVE-2026-20253 on June 10, 2026, affecting Splunk Enterprise versions in the 10.0.x and 10.2.x branches. The flaw stems from a PostgreSQL sidecar service endpoint that completely lacks authentication controls (CWE-306), allowing any network-reachable attacker to invoke arbitrary file creation or truncation operations without credentials.