This content is part of the Essential Guide: PCI 3.0 special report: Reviewing the state of payment card compliance
News Stay informed about the latest enterprise technology news and product updates.

PCI council to launch assessor quality assurance program

Staff will evaluate merchant feedback on the quality of their assessors and issue probations and revoke certification for negative comments.

For any merchant who's been frustrated by a PCI assessor, an upcoming program by the PCI Security Standards Council should be a welcome effort.

There have been a lot of problems with the unevenness of assessor skills.
Roger Nebel,
director of strategic securityFTI Consulting

The council plans to launch a quality assurance program for assessors in September, said Troy Leach, technical director for the PCI Security Standards Council. The program will involve staff members who will be dedicated to quality assurance, and will evaluate feedback from merchants on assessors.

"We want to provide them with the opportunity to provide information back to the council. If there are issues, we will work to correct them," Leach said.

There will be a probation and revocation process for assessors who receive negative feedback, he said.

Merchants and other organizations can currently go the PCI SSC's website for a feedback form, which asks about an assessor's technical skills and understanding of the PCI Data Security Standard, along with ethics questions such as whether the assessor implied that a particular commercial product or service was necessary for compliance.

The PCI SSC, an independent organization founded by five payment card brands, maintains the PCI standards and governs training and approval of Qualified Security Assessors (QSA) and Approved Scanning Vendors (ASV).

PCI compliance:
NSS Labs to focus research on PCI technologies
PCI group addresses assessor issues, vendor challenges
Verizon issues PCI self-assessment, support docs: Verizon Business is issuing a PCI self-assessment questionnaire and support documentation as part of its Partner Security Program (PSP).

Next version of PCI DSS due in September: PCI Security Standards Council GM Bob Russo says tweaks and clarifications are expected in the areas of wireless and application security.

Roger Nebel, an independent PCI DSS auditor and director of strategic security at FTI Consulting, said in an email that the council's QA program was a good idea that "should have been done a long time ago."

Nebel said that PCI SSC representatives told assessors at an annual refresher training course this spring that the program would launch soon. "There have been a lot of problems with the unevenness of assessor skills," he said.

Diana Kelley, founder and partner at consulting firm Security Curve, said she expects a lot of companies dealing with PCI assessment work would be interested in the quality assurance program.

"Companies have reported to me very different experiences with assessors," she said in an email. Having a program that provides additional assurance beyond certification from the council "regarding quality of the assessor's work and conduct is a great thing," Kelley said.

The council currently plans to hire two quality assurance staffers, said Glenn Boyet, director of marketing and communications at the PCI SSC. A job description on the council's website for a senior quality assurance analyst says the staffer will work with QSAs and ASVs to confirm their findings and "resolve misunderstandings resulting from the reviews."

News of the program has "spread like wildfire" since the council told assessors about it in April, Leach said, and many are asking him whether they're handling things correctly. He noted that QSAs are required to implement their own quality assurance programs.

David Taylor, founder of the PCI Knowledge Base and research director of the PCI Security Vendor Alliance, said the QA program is a valuable addition to the council's efforts and could help resolve disputes between merchants, assessors, banks and card brands. Acquiring banks that need to ensure their merchant members are PCI compliant are often put in the middle of disputes over assessments, as are assessors, he said.

"It's a difficult situation, but the bottom line is the ombudsman or quality assurance function becomes critical," Taylor said.

He added that merchant skepticism about the consistency of the PCI assessment process has sometimes translated into assessor shopping. "Depending on their management's commitment or desire to get it done quickly, sometimes they'll go shopping for an easy grader."

Dig Deeper on PCI Data Security Standard

Start the conversation

Send me notifications when other members comment.

Please create a username to comment.