The Economics of PCI

According to a Wired online article[1] by Kim Zetter last week, Savvis are being pulled into a law suit relating to their PCI audits of CardSystems Solutions who purportedly suffered a data breach in 2004. Frankly, I'm surprised that this is the first time that this has happened (and perhaps it isn't the first time?), but I think this is a worthwhile topic that is long overdue some attention - especially in light of current dialogues regarding how the new administration can improve cyber security through regulation.

In her article, Kim makes mention of the general costs of becoming a PCI approved scanning vendor (ASV), and likewise a qualified security assessor (QSA). What the article does not mention is the sheer number of security companies, systems integrators, butchers, bakers and candle stick makers that have found their way onto the ASV list, and the automated tools that are often the soul component used to certify clients. There are a few good (bad) reasons that this is happening - and I really do think that the PCI council need to consider how to solve this issue.

1) The cost of licensing most scanners with a "PCI Module" is a fraction (often less than 50%) the cost of employing an entry level security 'consultant'.
2) They can be run by anyone, even butchers

Coupled together - these points drive down the market rate for PCI assessments, and subsequently the quality of the work. This has resulted in a market where most small to medium security boutiques aren't even playing in the PCI space, because the costs of doing a thorough job are just so much more than so many of the ASV community are charging - resulting in a negative margin (unless its part of a much larger engagement). Further, many of the folks that are providing PCI scans are doing so with entry level 'consultants', really not qualified to do the job. For the level one merchants (probably includes CardSystems Solutions) its a similar story - as while audits must be overseen by QSA, may also utilize more junior resources (under the 'subject matter expert' allowance) to conduct actual system assessment activities. As a result, organizations may use lower-salaried, non-QSA certified staff on projects in order to increase margins within their P&L model

This is saddening - I like PCI; it's an evolving standard, which has caused many organizations, both large and small to take a first look at their security posture, where they may have never taken that first step had it not existed. Unfortunately, the market that we have created for ourselves undermines much of the good it's doing; so hopefully some good comes from this lawsuit, and those that really shouldn't have entered into this space in the first place, take a long hard look at their future here.

Security procurement folks really need to remember that they get what you pay for, even in this economy.

[1] http://www.wired.com/threatlevel/2009/06/auditor_sued/