An open letter to my public transit company

Dear Management,

I am writing as a customer of yours (both rail and bus) and as a Payment Card Industry qualified security assessor.

For the last week I have been barraged by phone calls and e-mails from various technology body shops asking what my lowest and best rate was for a six-month PCI project you are looking to staff. I've also received e-mails from a bunch of folks trying to get me to work on a project for you. I have heard various rates of $55 to $70 per hour for this PCI project. Note that these rates are considerably lower than the market rates for qualified PCI professionals, especially in the tri-state area.

To continue reading, register here and become an Insider. You'll get free access to premium content from CIO, Computerworld, CSO, InfoWorld, and Network World. See more Insider content or sign in.

Dear Management,

I am writing as a customer of yours (both rail and bus) and as a Payment Card Industry qualified security assessor.

For the last week I have been barraged by phone calls and e-mails from various technology body shops asking what my lowest and best rate was for a six-month PCI project you are looking to staff. I've also received e-mails from a bunch of folks trying to get me to work on a project for you. I have heard various rates of $55 to $70 per hour for this PCI project. Note that these rates are considerably lower than the market rates for qualified PCI professionals, especially in the tri-state area.

As part of the job requisition, you write that you are looking for a PCI project manager to perform a PCI assessment, identify gaps and prepare a remediation plan. The PCI project manager will be ultimately responsible to the agency that will manage the entire effort from start to finish.

Information gleaned from the job requisition and your Web site show that you are a Level 2 merchant that processes credit card transactions via more than 700 ticket vending machines and ticket office machines on location throughout the area, and via a tickets-by-mail program with subscriptions entered through your Web site.

Reading between the lines, it seems that you, like many other merchants, are quite behind on your PCI compliance effort and are looking to quickly come up to speed.

First off, asking for the lowest and best rate for information security projects is like shopping for mountain rope or parachute supplies with price as the main factor. Taking the least expensive security vendor is simply too great of a risk. When it comes to PCI and information security, price is certainly a factor, but should not be the main factor when selecting a vendor.
You need to find a trusted partner for PCI and security. In fact, a trusted partner may be significantly less expensive in the long run. A good QSA can provide guidance on how to minimize the effort and costs associated with compliance -- for example, by showing how to minimize scope by removing cardholder data and employing effective segmentation.

In your case, the PCI effort won't be cheap. But a single security breach can be orders of magnitude more expensive than taking the miserly PCI road.

Next, dealing with PCI is not simply about sending job requirements out to every body shop in the hope of finding the bargain-rate firm. In fact, with PCI, you don't hire an individual, you hire a QSA qualified firm. This bears repeating as it is a mistake made by many organizations that are new to PCI; you can't have an individual, even though they are a certified QSA, performing individual PCI freelance work.

Choosing a vendor to help you with PCI is a significant decision to make. Specific PCI expertise is important when looking for PCI assistance, but you may want to avoid vendors that do nothing but PCI. You will get the best value from vendors that understand how PCI security controls overlap with and complement other standards and best practices.