Welcome to the SecAware blog

I spy with my beady eye ...

11 Dec 2007

PCI DSS audit accreditation

An Australian security consultancy's blog entry on their failure to win PCI DSS audit assignments ably demonstrates a severe conflict of interest in this market. They have been losing out to competitors who promise to complete the audits much quicker and (implicitly at least) to certify the client compliant. The commercial pressure is clear: the process of applying and qualifying to become a PCI DSS auditor is expensive in both time and $$$$. If auditors who intend to audit clients properly against the standard consistently lose bids to those who (allegedly) will do a superficial audit and pass the client almost regardless of the findings, then they will eventually face a tough choice. Uphold their principles or compromise them just to recoup their costs and stay in the business.

The same pressures occur with other certifications and are generally handled by a rigorous accreditation process whereby certification auditors are carefully assessed to determine their suitability and rigour. I wonder whether PCI DSS has this? Are PCI DSS auditors re-assessed from time to time? Does the PCI consortium check the quality of their assessments, for example by independently re-auditing certified PCI compliant merchants to confirm whether they are truly compliant? If not, I doubt that the PCI DSS scheme warrants the confidence level it currently enjoys.

1 comment:

  1. Hey, thanks for the link. This is a topic that warrants a bit of attention. We've added another story in Beast or Buddha a while back about choosing your PCI Auditors carefully. (Should still be on the front page in the "Most Read" section). That made a few QSAs in the region nervous and asking if it was about them. Nervous? so they should be :-).

    There is no real quality assurance done on QSAs. If you have the bucks , you can become a QSA. Sit through a 1-2 day training session, pass an exam (which you'd need to be pretty hopeless not to pass) and you're on the list as an expert.

    I've raised it with Visa and Mastercard and there's no solution I am aware of. One one hand, they need QSAs to keep momentum with the program - lose QSAs and it may jeopardise that awareness.

    Companies need to be very careful when deciding who to go with.