For any merchant who's been frustrated by a PCI assessor, an upcoming program by the PCI Security Standards Council...
should be a welcome effort.
The council plans to launch a quality assurance program for assessors in September, said Troy Leach, technical director for the PCI Security Standards Council. The program will involve staff members who will be dedicated to quality assurance, and will evaluate feedback from merchants on assessors.
"We want to provide them with the opportunity to provide information back to the council. If there are issues, we will work to correct them," Leach said.
There will be a probation and revocation process for assessors who receive negative feedback, he said.
Merchants and other organizations can currently go the PCI SSC's website for a feedback form, which asks about an assessor's technical skills and understanding of the PCI Data Security Standard, along with ethics questions such as whether the assessor implied that a particular commercial product or service was necessary for compliance.
The PCI SSC, an independent organization founded by five payment card brands, maintains the PCI standards and governs training and approval of Qualified Security Assessors (QSA) and Approved Scanning Vendors (ASV).
Roger Nebel, an independent PCI DSS auditor and director of strategic security at FTI Consulting, said in an email that the council's QA program was a good idea that "should have been done a long time ago."
Nebel said that PCI SSC representatives told assessors at an annual refresher training course this spring that the program would launch soon. "There have been a lot of problems with the unevenness of assessor skills," he said.
Diana Kelley, founder and partner at consulting firm Security Curve, said she expects a lot of companies dealing with PCI assessment work would be interested in the quality assurance program.
"Companies have reported to me very different experiences with assessors," she said in an email. Having a program that provides additional assurance beyond certification from the council "regarding quality of the assessor's work and conduct is a great thing," Kelley said.
The council currently plans to hire two quality assurance staffers, said Glenn Boyet, director of marketing and communications at the PCI SSC. A job description on the council's website for a senior quality assurance analyst says the staffer will work with QSAs and ASVs to confirm their findings and "resolve misunderstandings resulting from the reviews."
News of the program has "spread like wildfire" since the council told assessors about it in April, Leach said, and many are asking him whether they're handling things correctly. He noted that QSAs are required to implement their own quality assurance programs.
David Taylor, founder of the PCI Knowledge Base and research director of the PCI Security Vendor Alliance, said the QA program is a valuable addition to the council's efforts and could help resolve disputes between merchants, assessors, banks and card brands. Acquiring banks that need to ensure their merchant members are PCI compliant are often put in the middle of disputes over assessments, as are assessors, he said.
"It's a difficult situation, but the bottom line is the ombudsman or quality assurance function becomes critical," Taylor said.
He added that merchant skepticism about the consistency of the PCI assessment process has sometimes translated into assessor shopping. "Depending on their management's commitment or desire to get it done quickly, sometimes they'll go shopping for an easy grader."