PCI audit conflict of interest problems persist

PCI audit conflict of interest problems persist

PCI audit conflict of interest problems persist

Date: Aug 12, 2014

Even though the PCI Security Standards Council's validation requirements for Qualified Security Assessors states that QSAs must act ethically and independently by limiting sources of influence that may compromise their independent judgment during a PCS DSS assessment, conflicts of interest can and do happen.

According to Gartner Inc.'s top expert on PCI DSS, the PCI assessment process is rife with conflicts of interest because QSAs can too easily benefit from the results of their assessments.

"It's not a good idea to have an auditor come in, find the problem, and say, 'By the way, we can sell you the solutions to fix the problems,'" said Avivah Litan, vice president and distinguished analyst with the Stamford, Conn.-based research firm. "It's just an inherent conflict of interest."

In this interview, conducted at the 2014 Gartner Security & Risk Management Summit, Litan discusses PCI conflict of interest issues, why they ultimately harm enterprise payment data security, and the "really simple" solution that could eliminate the problem once and for all.

Litan also discusses why the infamous Target Corp. data breach represented a turning point for enterprise information security, and how it has triggered a rapid move toward chip and PIN payment systems. Finally Litan analyzes whether the new Retail Information Sharing & Analysis Center (ISAC) will help reduce the risk of retail data breaches, and what it will take for retailers to volunteer to share information with others.

More information:

Forrester's John Kindervag looks at the QSA rule intended to help avoid conflicts of interest during PCI assessments.

Expert Mike Chapple discusses whether running end-of-life software can lead to a compliance violation.

More on PCI Data Security Standard

  • canderson

    Why infosec will increasingly rely on computer hardware security

    VIDEO - Video: Cryptography luminary Paul Kocher discusses why computer hardware security will play a larger role in the information security product ecosystem.
  • canderson

    PCI 3.0 changes: A PCI compliance requirements checklist for 2015

    VIDEO - In this presentation, compliance expert Nancy Rodriguez offers a line-by-line review of the key PCI DSS changes that become mandatory as of Jan. 1, 2015.
  • canderson

    Gartner on PCI DSS 3.0 changes: Bigger, harder and more expensive

    VIDEO - Gartner analyst Avivah Litan discusses how Gartner clients are reacting to the changes in PCI DSS 3.0, and whether the increased rigor in the standard will prove beneficial to enterprises.
  • National Vulnerability Database (NVD)

    Definition - NVD (National Vulnerability Database) is a product of the National Institute of Standards and Technology (NIST) Computer Security Division and is used by the U.S. Government for security management and compliance as well as automatic vulnerability management.
  • virtual payment terminal

    Definition - Virtual terminals allow sellers to take credit card payments online for orders made online or over the phone without requiring a card reader device.
  • ingress filtering

    Definition - Ingress filtering is a method of verifying that inbound packets arriving at a network are from the source computer they claim to be before entry (or ingress) is granted.
  • Beyond PCI: Out-of-band security tips for credit card data protection

    Tip - Securing credit card data -- both online and at brick-and-mortar stores -- requires security measures beyond those mandated by PCI DSS. Expert Philip Alexander outlines six out-of-band security controls to consider.
  • compensating control

    Definition - Compensating controls were introduced in PCI DSS 1.0, to give organizations an alternative to the requirements for encryption. The alternative is sometimes considered a loophole that creates a security risk.

There are Comments. Add yours.

TIP: Want to include a code block in your comment? Use <pre> or <code> tags around the desired text. Ex: <code>insert code</code>

REGISTER or login:

Forgot Password?
By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy
Sort by: OldestNewest

Forgot Password?

No problem! Submit your e-mail address below. We'll send you an email containing your password.

Your password has been sent to: