Two firms certified to asses a company's compliance with the Payment Card Industry Data Security Standards (PCI DSS) have been placed under remediation by the PCI Security Standards Council.
Chris Konrad, Senior Vice President of Client Services, Fortrex Technologies Inc.
San Jose, Calif.-based Payment Software Company LLC (PSC) and Frederick, Md.-based Fortrex Technologies Inc. were placed in remediation status, forcing the two companies to address issues discovered during a review of assessment documents or face losing certification. The PCI Council said qualified security assessor (QSA) organizations placed in remediation have violated QSA Validation Requirements. The requirements describe the qualifications a QSA must have to perform assessments.
PSC was placed into remediation on Jan. 28. Tony Bates, partner and chief operating officer of PSC declined to comment on the nature of the issues. PSC plans to address the items this month. The firm, which does business globally, must provide documentation validating the issues highlighted by the council.
"We have a contractual relationship with the PCI Security Standards Council and they can pull our certification at any time," Bates said, adding that the firm is working wholeheartedly to remedy the situation.
A preview of PCI virtualization specifications: The PCI Data Security Standard has little to say about virtualization – for now. Michael Cobb explores which best practices are likely to appear.
PCI Council issues priority tool for compliance: A new PCI compliance tool walks companies through the compliance process by meeting six milestones set by weighing risk and threat factors.
Heartland breach highlights PCI limitations: The benefits of complete PCI and the necessity of full compliance are now being widely questioned, says Eric Ogren, principal analyst, The Ogren Group.
Fortex was put into remediation status because a review of their assessment reports found that they lacked enough detail, said Chris Konrad, senior vice president of client services at Fortrex. Konrad said his firm was told that the reports have to be more descriptive of each PCI requirement.
"The council made it clear that every cell within the standard needs to stand by itself. They clearly outlined the grading process and we certainly need to follow that grading process," Konrad said. "We have redeveloped our internal quality control policies and procedures and have also made necessary staffing changes."
Fortrex's business is U.S-based. The company is in its sixth year assessing service providers and merchants. In addition to being certified to conduct payment application quality security assessments, the firm sells risk management consulting services. It is a reseller in security vendor Qualys Inc.'s PCI Partner Program, according to the company website. Qualys said its "program gives partners generous margins based on their level of certification."
The PCI Council launched its quality assurance program for assessors in September to address growing concerns from merchants about the quality of their assessments and other issues. Merchants have complained that some QSAs don't appear to have the technical skills necessary to conduct a thorough assessment. Other merchants have raised issues with QSA's pitching security products during the assessment process.
Merchants that receive negative feedback are placed on probation and a revocation process is in place if assessors do not address the issues identified by the council.
The feedback form asks merchants to address the assessor's technical skills and understanding of PCI DSS. It also asks ethics questions such as whether the assessor implied that a particular commercial product or service was necessary for compliance. The program is overseen by a senior quality assurance analyst. The PCI Council staffer works with QSAs and approved scanning vendors (ASV) to confirm the findings of a merchant feedback form and resolve disputes. An assessor is required to give every merchant a feedback form.
Bob Russo, general manager of the PCI Council, said the QA process involves reviewing redacted assessment reports provided by QSAs. The review ensures all PCI requirements are being assessed. A review is also conducted to ensure the assessment firm is not sending in a junior person to conduct a certification assessment and then signing off on certification when the assessment is complete.
"We monitor through the redacted reports and in some cases we conduct visits to their sites to make sure they're maintaining all evidence they collect at their sites," Russo said. "We don't look at the technical merits, because otherwise we'd be doing the assessment ourselves."
PCI assessment firms that do the bulk of the certification assessments are reviewed annually. Other firms are reviewed on a rolling three-year basis, Russo said. When negative merchant feedback is received, the assessment firm is reviewed. So far the feedback received from merchants about the program has been positive.
"I think that they're happy that it's here finally and we're policing it at this point," Russo said. "I have no evidence from anyone that the QSA process is flawed in any way at this point; the same way I have no evidence that the standard is flawed in any way."
Editor's note: Story updated to include comment from Fortrex Technologies Inc.