Can a retailer hire a QSA firm that also provides its security services for PCI Compliance?

  • Team Omega
  • August 18, 2014

Here’s what happened to Target when it went through a breach? Banks sued Target’s security auditor. The auditing company strongly advertised the fact that it was both PCI auditor and PCI service provider. This meant that the auditing firm did the scanning of Target’s network and reported of no vulnerabilities. In reality there were several problems that led to the breach which the auditing company missed.

The company also did the network monitoring and did not detect any intrusion. The banks that sued Target said, “The auditor failed to live up to its promises, or to meet industry standards. The failings, in turn, allowed hackers to cause the data breach and to steal Target customers’ PII and sensitive payment card information,”. A counter argument said that, “if Target did not accurately communicate the details of its network access practices and security controls, the auditor would have had a hard time finding those details on its own, without extensive and expensive testing.”

A maxim to remember is always go with a third-party vendor to do your PCI security services and not with the QSA who is appointed to do your audit.

Follow what the PCI Council recommends. There is a control in Section 2.2 of the PCI Validation Requirements for Qualified Security Assessors (QSA) specifying that a QSA firm doing an audit of a retail environment should not be employed in also fixing their problems. The requirement calls for “auditor independence” within the QSA program precisely to avoid any type of conflicts of interest.

Policies are recommended to be put in place by retailers that mandate a separation of duties between QSA Auditors and QSAs, or other individuals within a QSA certified company who provide remediation support. 

The original article appeared at