PCI council to launch assessor quality assurance program

By Marcia Savage, Features Editor, Information Security magazine 11 Jun 2008 | SearchSecurity.com

Security Wire Daily News Digg This!     StumbleUpon     Del.icio.us

For any merchant who's been frustrated by a PCI assessor, an upcoming program by the PCI Security Standards Council should be a welcome effort.

There have been a lot of problems with the unevenness of assessor skills. Roger Nebel, director of strategic security, FTI Consulting

The council plans to launch a quality assurance program for assessors in September, said Troy Leach, technical director for the PCI Security Standards Council. The program will involve staff members who will be dedicated to quality assurance, and will evaluate feedback from merchants on assessors.

"We want to provide them with the opportunity to provide information back to the council. If there are issues, we will work to correct them," Leach said.

There will be a probation and revocation process for assessors who receive negative feedback, he said.

Merchants and other organizations can currently go the PCI SSC's website for a feedback form, which asks about an assessor's technical skills and understanding of the PCI Data Security Standard, along with ethics questions such as whether the assessor implied that a particular commercial product or service was necessary for compliance.

The PCI SSC, an independent organization founded by five payment card brands, maintains the PCI standards and governs training and approval of Qualified Security Assessors (QSA) and Approved Scanning Vendors (ASV).

PCI compliance: NSS Labs to focus research on PCI technologies: In this podcast, Rick Moy of NSS Labs talks about how the firm's research help companies make informed buying decisions for PCI. PCI group addresses assessor issues, vendor challenges: David Taylor of the PCI Security Vendor Alliance, discusses the challenges PCI presents, the newly created PCI Knowledge Base and how the group can help both vendors and companies. Verizon issues PCI self-assessment, support docs: Verizon Business is issuing a PCI self-assessment questionnaire and support documentation as part of its Partner Security Program (PSP). Next version of PCI DSS due in September: PCI Security Standards Council GM Bob Russo says tweaks and clarifications are expected in the areas of wireless and application security.

Roger Nebel, an independent PCI DSS auditor and director of strategic security at FTI Consulting, said in an email that the council's QA program was a good idea that "should have been done a long time ago."

Nebel said that PCI SSC representatives told assessors at an annual refresher training course this spring that the program would launch soon. "There have been a lot of problems with the unevenness of assessor skills," he said.

Diana Kelley, founder and partner at consulting firm Security Curve, said she expects a lot of companies dealing with PCI assessment work would be interested in the quality assurance program.

"Companies have reported to me very different experiences with assessors," she said in an email. Having a program that provides additional assurance beyond certification from the council "regarding quality of the assessor's work and conduct is a great thing," Kelley said.

The council currently plans to hire two quality assurance staffers, said Glenn Boyet, director of marketing and communications at the PCI SSC. A job description on the council's website for a senior quality assurance analyst says the staffer will work with QSAs and ASVs to confirm their findings and "resolve misunderstandings resulting from the reviews."

News of the program has "spread like wildfire" since the council told assessors about it in April, Leach said, and many are asking him whether they're handling things correctly. He noted that QSAs are required to implement their own quality assurance programs.

David Taylor, founder of the PCI Knowledge Base and research director of the PCI Security Vendor Alliance, said the QA program is a valuable addition to the council's efforts and could help resolve disputes between merchants, assessors, banks and card brands. Acquiring banks that need to ensure their merchant members are PCI compliant are often put in the middle of disputes over assessments, as are assessors, he said.

"It's a difficult situation, but the bottom line is the ombudsman or quality assurance function becomes critical," Taylor said.

He added that merchant skepticism about the consistency of the PCI assessment process has sometimes translated into assessor shopping. "Depending on their management's commitment or desire to get it done quickly, sometimes they'll go shopping for an easy grader."

Tags: PCI Data Security Standard,  VIEW ALL TAGS

Digg This!     StumbleUpon     Del.icio.us

RELATED CONTENT PCI Data Security Standard New data protection laws No major PCI DSS revision expected in 2010 PCI QSAs, certifications to get new scrutiny The future of PCI DSS encryption requirements? Tokenization for PCI MasterCard reverses PCI compliance requirement PCI DSS compliance help: Using frameworks, technology to aid efforts Chip and PIN adoption Chip and PIN adoption serves lesson for U.S. payment industry Heartland CIO is critical of First Data's credit card tokenization plan Heartland CIO on end-to-end encryption, credit card tokenization

RELATED GLOSSARY TERMS Terms from Whatis.com − the technology online dictionary PCI DSS (Payment Card Industry Data Security Standard )  (SearchSecurity.com)

RELATED RESOURCES 2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems Search Bitpipe.com for the latest white papers and business webcasts Whatis.com, the online computer dictionary