PCI Council Starts a Quality-Control Program for Assessors

(November 17, 2008) The PCI Security Standards Council on Monday introduced a quality-assurance program for the companies that determine whether a merchant, processor, or other entity that touches credit and debit card data meets the council’s rules. The Wakefield, Mass.-based council’s aim is to ensure more uniform enforcement of the Payment Card Industry data-security standard, or PCI.

“We want to make sure it’s as level a playing field as we possibly can,” Robert Russo, general manager of the Wakefield, Mass.-based PCI Council, tells Digital Transactions News.

Participation in the program will be mandatory for PCI Council-registered Qualified Security Assessors (QSAs) and Approved Scanning Vendors (ASVs). The council has 164 QSAs (87 in the U.S., 16 in Canada), and 145 ASVs, 74 of which also are QSAs. QSAs send assessors out to examine payment-processing systems, while ASVs scan data networks remotely.

Russo says that in launching the program, the council is responding to feedback from PCI-participating organizations and others with a stake in card security about the need for as much uniformity in PCI exams as possible—an often difficult task because determining the existence and degree of a security vulnerability, while in many cases a clear-cut matter, in others can be subjective. “It’s a people business,” Russo says.

But Russo says there was no single event that prompted the program. “It’s not a knee-jerk reaction, it’s the next logical step in the evolution of the program,” he says. The five major card networks—Visa, MasterCard, American Express, Discover, and JCB—created the council to administer and update a common set of security rules now known as PCI, though enforcement remains the responsibility of each network.

The quality-control program arrives not a moment too soon, according to Gartner Inc. analyst Avivah Litan, who researches security technology. “There have been many rumblings about the inconsistent quality of the QSAs,” she tells Digital Transactions News via e-mail. A major issue with PCI compliance is that “a retailer can get two different opinions from the same assessor within a few months,” she says. “And each change of opinion can potentially cost hundreds of thousands or even millions of dollars. Opinions issued by different assessor firms, and by even the same assessor within the same firm, are often different.” Assessors also sometimes have “knee-jerk” reactions and revisit clients they’ve recently examined if a new breach exposes a vulnerability they think should be fixed quickly, she adds.

A big part of the program involves increased monitoring of PCI compliance reports by the QSAs and ASVs. Registered firms will be required to give the council for periodic review samplings of reports, edited for client confidentiality. That will add some work for the assessors, according to Andrew Bokor, chief operating officer of Chicago-based Trustwave, one of the biggest PCI assessors. A recent Trustwave quarterly report to meet the new guidelines took two staffers two-and-a-half weeks to prepare, he says. Still, Bokor doesn’t see that work as major added task, though he says the program could be more burdensome for smaller QSAs and AVS. “For us it will not be that impactful primarily because we have a fairly rigorous QA [quality-assurance] training program to begin with,” he says.

Bokor says he doesn’t have one incident that comes to mind, but says there “have been concerns” among the larger assessment firms about “inconsistencies in the QSAs,” mostly involving the work of smaller assessors. “I don’t think there was any foul play involved,” he says.

Uneven assessment quality could be a result of inadequate training, according to Litan. “It’s very easy today to become a QSA,” she says. “The screening of these folks is severely lacking.” Russo, however, says companies are vetted when they first come into the QSA and ASV fields for experience, training, and insurance—a process repeated annually.

Besides the increased monitoring of assessor reports, Russo says council staffers will be visiting the offices of QSAs and ASVs periodically. A PCI Council release says ongoing features of the program include certification reviews, credit checks, training, educational Webinars, newsletters, a dedicated e-mail service, question-and-answer documents, informational supplements, and feedback forms. The PCI Council will roll out the program in four stages next year.