The Question of Low Priced PCI Assessments

Branden Williams at Verisign (who has a great security blog, especially for its coverage of PCI issues) posts about a Bob Carr, Heartland Payment Systems, interview. The gist of the interview is don’t hire the low-cost bidder. Branden’s final comments:

Of course, this attitude requires foresight. Which would you rather do:
ask for more money today, or ask for a TON more money tomorrow because
you had a breach? Most would pick the former, but their actions paint a
different picture

I think this question makes an assumption that higher prices lead to better PCI audits (which are supposed to lead to lower likelihood of breach). It is worth keeping in mind that the “unwanted outcome” for PCI is a negative audit that rescinds the ability to process credit cards.

The PCI auditor decision can be framed in the same way we perform any risk assessment – comparing the difference in costs between providers to the anticipated difference in value at risk. So it might be worth it “worth it” to use a low-cost provider if the difference in their costs over another preferred provider is greater than the anticipated increase in risk.

3 comments for “The Question of Low Priced PCI Assessments

  1. September 15, 2009 at 8:39 pm

    Thanks for the kind words!

    The assumption, which is not well articulated, is that you get what you pay for. If you pay $1 Million for a PCI Assessment, does that get you something more than a $50K one? I would certainly hope so, but is that extra $950K worth the money spent? Probably not. There has to be a middle ground somewhere (there is).

    The real catch is if you go into an assessment expecting every gap to be correctly identified by your QSA, you can bet that the low cost bid is not be motivated to do the same amount (think effort) of work and digging as the one with a more reasonable bid.

    Thanks again for the comments!

  2. Pete
    September 16, 2009 at 9:19 am

    @Branden -

    Hmmm, I am not familiar with the variance in hourly rates among the different QSAs, but if it is anything like the audit world I came from, it is not uncommon to have hourly rates vary significantly such that effort (hours) is very similar even though cost may be much lower.

    In any case, I hope you agree that my Return-on-Security-Investment approach outlined in the final paragraph is the important one.

    Pete

  3. September 20, 2009 at 5:34 pm

    Have you seen this blog related to “Heartland’s new E3 solution” and “Format and Datatype Preserving Encryption” at http://securosis.com/blog/format-and-datatype-preserving-encryption/ ?

Comments are closed.