PCI QSA assurance program penalizes assessors

By Robert Westervelt, News Editor 05 Mar 2009 | SearchSecurity.com

Security Wire Daily News Digg This!     StumbleUpon     Del.icio.us

Two firms certified to asses a company's compliance with the Payment Card Industry Data Security Standards (PCI DSS) have been placed under remediation by the PCI Security Standards Council.

We have redeveloped our internal quality control policies and procedures and have also made necessary staffing changes. Chris Konrad, senior vice president of client services, Fortrex Technologies Inc.

San Jose, Calif.-based Payment Software Company LLC (PSC) and Frederick, Md.-based Fortrex Technologies Inc. were placed in remediation status, forcing the two companies to address issues discovered during a review of assessment documents or face losing certification. The PCI Council said qualified security assessor (QSA) organizations placed in remediation have violated QSA Validation Requirements. The requirements describe the qualifications a QSA must have to perform assessments.

PSC was placed into remediation on Jan. 28. Tony Bates, partner and chief operating officer of PSC declined to comment on the nature of the issues. PSC plans to address the items this month. The firm, which does business globally, must provide documentation validating the issues highlighted by the council.

"We have a contractual relationship with the PCI Security Standards Council and they can pull our certification at any time," Bates said, adding that the firm is working wholeheartedly to remedy the situation.

PCI DSS: A preview of PCI virtualization specifications: The PCI Data Security Standard has little to say about virtualization – for now. Michael Cobb explores which best practices are likely to appear. PCI Council issues priority tool for compliance: A new PCI compliance tool walks companies through the compliance process by meeting six milestones set by weighing risk and threat factors. Heartland breach highlights PCI limitations: The benefits of complete PCI and the necessity of full compliance are now being widely questioned, says Eric Ogren, principal analyst, The Ogren Group.

Fortex was put into remediation status because a review of their assessment reports found that they lacked enough detail, said Chris Konrad, senior vice president of client services at Fortrex. Konrad said his firm was told that the reports have to be more descriptive of each PCI requirement.

"The council made it clear that every cell within the standard needs to stand by itself. They clearly outlined the grading process and we certainly need to follow that grading process," Konrad said. "We have redeveloped our internal quality control policies and procedures and have also made necessary staffing changes."

Fortrex's business is U.S-based. The company is in its sixth year assessing service providers and merchants. In addition to being certified to conduct payment application quality security assessments, the firm sells risk management consulting services. It is a reseller in security vendor Qualys Inc.'s PCI Partner Program, according to the company website. Qualys said its "program gives partners generous margins based on their level of certification."

The PCI Council launched its quality assurance program for assessors in September to address growing concerns from merchants about the quality of their assessments and other issues. Merchants have complained that some QSAs don't appear to have the technical skills necessary to conduct a thorough assessment. Other merchants have raised issues with QSA's pitching security products during the assessment process.

Merchants that receive negative feedback are placed on probation and a revocation process is in place if assessors do not address the issues identified by the council.

The feedback form asks merchants to address the assessor's technical skills and understanding of PCI DSS. It also asks ethics questions such as whether the assessor implied that a particular commercial product or service was necessary for compliance. The program is overseen by a senior quality assurance analyst. The PCI Council staffer works with QSAs and approved scanning vendors (ASV) to confirm the findings of a merchant feedback form and resolve disputes. An assessor is required to give every merchant a feedback form.

SearchSecurity radio:

Bob Russo, general manager of the PCI Council, said the QA process involves reviewing redacted assessment reports provided by QSAs. The review ensures all PCI requirements are being assessed. A review is also conducted to ensure the assessment firm is not sending in a junior person to conduct a certification assessment and then signing off on certification when the assessment is complete.

"We monitor through the redacted reports and in some cases we conduct visits to their sites to make sure they're maintaining all evidence they collect at their sites," Russo said. "We don't look at the technical merits, because otherwise we'd be doing the assessment ourselves."

PCI assessment firms that do the bulk of the certification assessments are reviewed annually. Other firms are reviewed on a rolling three-year basis, Russo said. When negative merchant feedback is received, the assessment firm is reviewed. So far the feedback received from merchants about the program has been positive.

"I think that they're happy that it's here finally and we're policing it at this point," Russo said. "I have no evidence from anyone that the QSA process is flawed in any way at this point; the same way I have no evidence that the standard is flawed in any way."

Tags: PCI Data Security Standard,  IT Security Audits,  Vulnerability Risk Assessment,  Identity Theft and Data Security Breaches,  VIEW ALL TAGS

Digg This!     StumbleUpon     Del.icio.us

RELATED CONTENT PCI Data Security Standard PCI DSS compliance help: Using frameworks, technology to aid efforts Chip and PIN adoption Chip and PIN adoption serves lesson for U.S. payment industry Heartland CIO is critical of First Data's credit card tokenization plan Heartland CIO on end-to-end encryption, credit card tokenization Heartland CIO on PCI, E3 project Wireless network guidelines for PCI DSS compliance Visa probes tokens, encryption for PCI card data protection Feds push cybersecurity jobs, PCI DSS changes ahead. Voltage, RSA spar over tokenization, data protection IT Security Audits Standards compliance does not equal sound information security risk management Tony Spinelli: Prioritize Information Security over Compliance How to prepare for a FERPA audit MasterCard increases PCI compliance requirements for some merchants How to select a set of network security audit guidelines How to write a risk methodology that blends business, security needs PCI compliance requirement 11: Testing Using IAM tools to improve compliance Forensic accounting success depends on information security support HIPAA compliance: New regulations change the game Vulnerability Risk Assessment Screencast: How to launch an OpenVAS scan Trusteer CEO criticizes Adobe, touts better patch deployments Patch management study shows IT taking significant risks Vulnerability mitigation study shows need for faster patching Microsoft to issue security report card, new tool at Black Hat Newest malware threats Are Web application penetration tests still important? PCI compliance requirement 6: Systems and applications Cybercrime and threat management McAfee to acquire Solidcore Systems for whitelisting Vulnerability Risk Assessment Research

RELATED GLOSSARY TERMS Terms from Whatis.com − the technology online dictionary PCI DSS (Payment Card Industry Data Security Standard )  (SearchSecurity.com)

RELATED RESOURCES 2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems Search Bitpipe.com for the latest white papers and business webcasts Whatis.com, the online computer dictionary