There’s lots wrong and right about PCI but one of the wrong parts that infuriates me the most comes up often on the phone with companies that have received letters from their banks, telling them they must become PCI compliant by X date or else they will be fined.
Here’s the catch – each of these letters recommends they work with a specific QSA (Qualified Security Assessor) to get their PCI compliance underway. The bank letters don’t say anything to their customers about how to evaluate an assessor, or how to obtain their own PCI assessment training, or how to get up to speed on PCI, or how to prioritize their compliance efforts, or anything else that’s really useful. Just a letter telling them to work with one specific assessor and that’s it.
You have to wonder if this specific assessor is the one who figures out who to send the letters to, and if they draft the letters themselves on behalf of the bank.
The credit card industry needs to clean up its act. It needs to maintain independence from vendors and not recommend sole sourcing of assessors. It also needs to forbid assessors from selling remediation and security services. We learned the need to separate audits from remediation and operations the hard way during the Enron scandal. Why is it so hard for the credit card industry to apply those lessons to its own enforcement of PCI?
This type of conflict-of-interest activity should be stopped. At a minimum, companies who have to comply with PCI should never hire an assessor without evaluating a few of them, and should look for an assessor that is only providing audits – and not trying to sell the remediation and security services that will presumably make the company PCI-compliant.
It’s common sense.
John Pescatore and I wrote a note on this subject in August 2007 – more than three years ago, in case you want to check it out: “The Payment Card Industry Must Disentangle PCI Assessments From Remediation.” Obviously these common-sense arguments fall on deaf ears.