Welcome to NBlog, the NoticeBored blog

I may meander but I'm exploring, not lost

Dec 11, 2007

PCI DSS audit accreditation

An Australian security consultancy's blog entry on their failure to win PCI DSS audit assignments ably demonstrates a severe conflict of interest in this market. They have been losing out to competitors who promise to complete the audits much quicker and (implicitly at least) to certify the client compliant. The commercial pressure is clear: the process of applying and qualifying to become a PCI DSS auditor is expensive in both time and $$$$. If auditors who intend to audit clients properly against the standard consistently lose bids to those who (allegedly) will do a superficial audit and pass the client almost regardless of the findings, then they will eventually face a tough choice. Uphold their principles or compromise them just to recoup their costs and stay in the business.

The same pressures occur with other certifications and are generally handled by a rigorous accreditation process whereby certification auditors are carefully assessed to determine their suitability and rigour. I wonder whether PCI DSS has this? Are PCI DSS auditors re-assessed from time to time? Does the PCI consortium check the quality of their assessments, for example by independently re-auditing certified PCI compliant merchants to confirm whether they are truly compliant? If not, I doubt that the PCI DSS scheme warrants the confidence level it currently enjoys.