Mar 06 2009
The PCI Security Standards Council has placed two companies in remediation status for issues surrounding reports that have been turned in. Both companies, Payment Software Company and Fortrex Technologies Inc. are going to have to undergo some serious probing of their assessment process in the next few months to reassure the PCI Council. This isn’t a position any Qualified Security Assessor (QSA) company want’s to be in.
There’s no word of exactly why either of the companies were placed in remediation status, but two possibilities come to mind. First, as Rob Westervelt’s article hints at, it could have been due to complaints by merchants the companies had done business with. The PCI Council is surveying merchants to make sure that the merchants are being properly and fairly evaluated. Too much negative feedback isn’t be a good thing, and results in further scrutiny by the PCI Council.
The second reason the companies might be on warning is due to review of the Reports on Compliance that have been turned in. If there was something clearly erroneous in reports or the companies couldn’t produce evidence of the assessment under the review process, the PCI Council would want to review additional reports from that company. Too many errors places the QSA company in remediation status. I don’t know yet what it takes for a company to pull themselves out of remediation status, that might be specific to the company rather than a set time period.
Does two companies being put on probation (if that’s what ‘remediation status’ really is) mean that the PCI-DSS and the PCI Security Standards Council are working or does it mean that the process is flawed? I’d say it probably means both; there are a lot of issues that need to be addressed by PCI and there’s a lot of variation in how it’s being evaluated in the field. As with any industry, there are companies working in the PCI field who probably shouldn’t. It’s definitely an imperfect system. But I’d say this is proof that the PCI Standards can improve. By placing two QSA companies in remediation status, the PCI Council is showing all QSA companies that they’re serious about the quality of the reports they receive and the service merchants receive.
Slowly but surely, the PCI Council is raising the bar on what it means to be a QSA company. This move shows both the critics of PCI and the people working in the PCI field that they’re serious about improving. This will hopefully translate into raising the bar on security for the merchants.