The PCI Security Standards Council has placed a third Quality Security Assessment firm in remediation for violating QSA Validation Requirements.
To get security news and tips delivered to your inbox, click here to sign up for our free newsletter.
SecurityMetrics, based in Orem, Utah, was placed on the short list of violators. The company's website touts "a comprehensive set of automated, on-line security services and hardware devices to help Internet connected businesses detect and repair security problems at reasonable prices."
SecurityMetrics could not be reached for comment Tuesday morning. The company touts a three step PCI audit that includes a gap analysis, consulting services and finally an onsite audit for PCI compliance validation. The firm is also certified to conduct Payment Application Data Security Standard (PA-DSS) evaluations. Its other services include onsite computer inspections and internal network vulnerability assessments. The company also sells an appliance that provides intrusion detection and prevention.
Two other firms have been penalized as a result of the PCI Council's quality assurance program, which assesses PCI assessment documents provided by the QSA firm. San Jose, Calif.-based Payment Software Company LLC (PSC) and Frederick, Md.-based Fortrex Technologies Inc. were placed in remediation status. When reached for comment, representatives from both firms said they were addressing issues discovered during the review process.
The PCI SSC's quality assurance program was started in September as a result of mounting complaints from merchants about the quality of their compliance reviews. While the program reviews QSA firms at random, based on the number of assessments conducted, a firm that receives negative feedback from merchants is flagged for review, Bob Russo, general manager of the PCI Council said recently. QSA firms that are placed in remediation could have their certification revoked if they do not address the issues identified by the council.