News Stay informed about the latest enterprise technology news and product updates.

PCI audit conflict of interest problems persist

Even though the PCI Security Standards Council's validation requirements for Qualified Security Assessors states that QSAs must act ethically and independently by limiting sources of influence that may compromise their independent judgment during a PCS DSS assessment, conflicts of interest can and do happen.

According to Gartner Inc.'s top expert on PCI DSS, the PCI assessment process is rife with conflicts of interest because QSAs can too easily benefit from the results of their assessments.

"It's not a good idea to have an auditor come in, find the problem, and say, 'By the way, we can sell you the solutions to fix the problems,'" said Avivah Litan, vice president and distinguished analyst with the Stamford, Conn.-based research firm. "It's just an inherent conflict of interest."

In this interview, conducted at the 2014 Gartner Security & Risk Management Summit, Litan discusses PCI conflict of interest issues, why they ultimately harm enterprise payment data security, and the "really simple" solution that could eliminate the problem once and for all.

Litan also discusses why the infamous Target Corp. data breach represented a turning point for enterprise information security, and how it has triggered a rapid move toward chip and PIN payment systems. Finally Litan analyzes whether the new Retail Information Sharing & Analysis Center (ISAC) will help reduce the risk of retail data breaches, and what it will take for retailers to volunteer to share information with others.

More information:

Forrester's John Kindervag looks at the QSA rule intended to help avoid conflicts of interest during PCI assessments.

Expert Mike Chapple discusses whether running end-of-life software can lead to a compliance violation.

View All Videos

Join the conversation

1 comment

Send me notifications when other members comment.

By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy

Please create a username to comment.

Someone should tell Trustwave.







  • CIO Trends #6: Nordics

    In this e-guide, read how the High North and Baltic Sea collaboration is about to undergo a serious and redefining makeover to ...

  • CIO Trends #6: Middle East

    In this e-guide we look at the role of information technology as the Arabian Gulf commits billions of dollars to building more ...

  • CIO Trends #6: Benelux

    In this e-guide, read about the Netherlands' coalition government's four year plan which includes the term 'cyber' no fewer than ...