Avivah LitanThere’s lots wrong and right about PCI but one of the wrong parts that infuriates me the most comes up often on the phone with companies that have received letters from their banks, telling them they must become PCI compliant by X date or else they will be fined.
Here’s the catch – each of these letters recommends they work with a specific QSA (Qualified Security Assessor) to get their PCI compliance underway. The bank letters don’t say anything to their customers about how to evaluate an assessor, or how to obtain their own PCI assessment training, or how to get up to speed on PCI, or how to prioritize their compliance efforts, or anything else that’s really useful. Just a letter telling them to work with one specific assessor and that’s it.
You have to wonder if this specific assessor is the one who figures out who to send the letters to, and if they draft the letters themselves on behalf of the bank.
The credit card industry needs to clean up its act. It needs to maintain independence from vendors and not recommend sole sourcing of assessors. It also needs to forbid assessors from selling remediation and security services. We learned the need to separate audits from remediation and operations the hard way during the Enron scandal. Why is it so hard for the credit card industry to apply those lessons to its own enforcement of PCI?
This type of conflict-of-interest activity should be stopped. At a minimum, companies who have to comply with PCI should never hire an assessor without evaluating a few of them, and should look for an assessor that is only providing audits – and not trying to sell the remediation and security services that will presumably make the company PCI-compliant.
It’s common sense.
John Pescatore and I wrote a note on this subject in August 2007 – more than three years ago, in case you want to check it out: “The Payment Card Industry Must Disentangle PCI Assessments From Remediation.” Obviously these common-sense arguments fall on deaf ears.
Category: Uncategorized Tags: symposium
2 responses so far ↓
1 Mark Bower October 6, 2010 at 8:24 pm
Avivah,
I think you’ve raised a really important point that needs some additional consideration and guidance now. A few years ago there was a smaller population of organizations that could provide advice and assess a PCI compliant implementation – consequently it was harder to separate the assessors/advisor roles in solving hard deadline PCI challenges.
However, the PCI Council has done a great job in training up a large number of QSA’s to date – the presentations at the PCI Council event in Orlando attested to this success.
So now we have lots of choice – and there’s no excuse to not enforce the independence criteria which is so critical to the integrity of the program. This is particularly acute as there are clearly some firms who are not just reselling solutions, but providing their own services and technology and assessing at the same time, or establishing sister companies that are clearly vehicles for margin/kick backs on products and services – thats a road the industry should not go down. Those seeking assessor services should really look under the hood of the companies they are acquiring services from to avoid being victims of vested interests.
I look forward to additional guidance on this – its timely. PCI has overall be very successful to those that embrace it – we held an event recently on this topic with 26 executives from top global retailers – the positive aspects of PCI compliance resonated unanimously. It would be a shame to see this success marred by self interests of assessment firms. We’ve already learned the lesson from the auditor-advisor-provider disasters in the past – Enron and others. This should be easy to avoid again.
Regards,
Mark
2 Avivah Litan October 6, 2010 at 9:45 pm
Well said Mark. Thanks for the input.