The Value of a Second Opinion
Second opinions can be valuable. I recently went to two mechanics to see if I could avoid replacing the radiator on my car. I doubt if any of us, facing with a serious medical situation, would hesitate to ask for a second opinion. So why are we sometimes so quick to entrust our institution's reputation and checkbook (and maybe even our own career) to one PCI expert?
A few weeks ago I heard from a school. They bought a "recommended" solution to address their PCI needs and were just discovering that it might not be all that they hoped. The particularly unfortunate part about it was that this was a completely avoidable situation: getting a second opinion at the start would have highlighted the flaw in the salesman's pitch, and a better solution (from the same company, BTW) could have been found. They are now stuck with an unpleasant and possibly quite expensive situation.
PCI is still a mystical beast to many, or at least so it seems. When faced with such a mystery we sometimes put trust in the wrong places (see my thoughts here). This misplaced trust is what happened to the school that bought the solution that was wrong for them.
Mike Dahn picks up this theme in the latest Aegenis Newsletter. This issue is full of Mike's usual thoughtful analysis and insights. He notes the importance of getting a second opinion, writing: Unfortunately many of these so-called 'experts' are often only superficially knowledgeable of the PCI DSS and most of those have a less than comprehensive understanding of the payment card industry...During [PCI] training events, it is not uncommon to hear a merchant, service provider, or bank say: "my QSA said that we must (fill in the blank) to comply with the PCI DSS." More often than not, these recommendations are simply inaccurate interpretations of the standard or the intent of particular requirement. People have no problem asking a second opinion from a doctor when diagnosed with a major illness. It always surprises, however, when an organization will spend millions of dollars on remediation based upon a statement from a single individual with often cursory experience in the industry without seeking a second opinion...While there are some very good QSAs in the market, the qualification alone does not make one an expert on PCI DSS related issues nor does it imply information security expertise. It is highly recommended that, prior to purchasing technology or implementing controls to address identified compliance issues, organizations conduct their own due diligence and find a second opinion. Spending a little time and money double-checking a recommendation will often pay huge dividends.
This analysis matches my own experience. These conclusions are doubly relevant if the "expert" is or is affiliated with the salesperson. Remember the film "The Godfather," and the line: "this is business, not personal." That line should be in your mind constantly. Understand that no matter how friendly and knowledgeable the salesperson appears, to them you are simply their next paycheck or braces for the kids or a new boat. I'm not saying to be nasty, but don't believe everything without checking for yourself.
Where do you get a second opinion? Talk with your peers, do some research, visit other customers who have implemented specifically your proposed solution. But talk to somebody who knows payments, who knows PCI, who understands Higher Ed, and who is independent.
As for my radiator, the second opinion came in the same as the first (it's gotta go)...but the price was lower. My cost for the second opinion: trivial. My benefit: knowing I'm making the right decision.
Isn't protecting the institution's brand (and checkbook) worth as much as a crummy radiator?
A few weeks ago I heard from a school. They bought a "recommended" solution to address their PCI needs and were just discovering that it might not be all that they hoped. The particularly unfortunate part about it was that this was a completely avoidable situation: getting a second opinion at the start would have highlighted the flaw in the salesman's pitch, and a better solution (from the same company, BTW) could have been found. They are now stuck with an unpleasant and possibly quite expensive situation.
PCI is still a mystical beast to many, or at least so it seems. When faced with such a mystery we sometimes put trust in the wrong places (see my thoughts here). This misplaced trust is what happened to the school that bought the solution that was wrong for them.
Mike Dahn picks up this theme in the latest Aegenis Newsletter. This issue is full of Mike's usual thoughtful analysis and insights. He notes the importance of getting a second opinion, writing: Unfortunately many of these so-called 'experts' are often only superficially knowledgeable of the PCI DSS and most of those have a less than comprehensive understanding of the payment card industry...During [PCI] training events, it is not uncommon to hear a merchant, service provider, or bank say: "my QSA said that we must (fill in the blank) to comply with the PCI DSS." More often than not, these recommendations are simply inaccurate interpretations of the standard or the intent of particular requirement. People have no problem asking a second opinion from a doctor when diagnosed with a major illness. It always surprises, however, when an organization will spend millions of dollars on remediation based upon a statement from a single individual with often cursory experience in the industry without seeking a second opinion...While there are some very good QSAs in the market, the qualification alone does not make one an expert on PCI DSS related issues nor does it imply information security expertise. It is highly recommended that, prior to purchasing technology or implementing controls to address identified compliance issues, organizations conduct their own due diligence and find a second opinion. Spending a little time and money double-checking a recommendation will often pay huge dividends.
This analysis matches my own experience. These conclusions are doubly relevant if the "expert" is or is affiliated with the salesperson. Remember the film "The Godfather," and the line: "this is business, not personal." That line should be in your mind constantly. Understand that no matter how friendly and knowledgeable the salesperson appears, to them you are simply their next paycheck or braces for the kids or a new boat. I'm not saying to be nasty, but don't believe everything without checking for yourself.
Where do you get a second opinion? Talk with your peers, do some research, visit other customers who have implemented specifically your proposed solution. But talk to somebody who knows payments, who knows PCI, who understands Higher Ed, and who is independent.
As for my radiator, the second opinion came in the same as the first (it's gotta go)...but the price was lower. My cost for the second opinion: trivial. My benefit: knowing I'm making the right decision.
Isn't protecting the institution's brand (and checkbook) worth as much as a crummy radiator?

