The potential for conflict of interest with the same person selling security equipment who is conducting the audit is poor. The only way around this is independent certification of security products to determine whether they are compliant as per PCI standards. The ONLY company which is doing this right now to my knowledge is NSS Labs (out of Chicago). NSS has a long history of security testing and certification and, more importantly, appears to be the ONLY independent security testing and certification facility which is truly independent (i.e. is not owned by or affiliated with a company with a vested interest in selling security products or managed services). One of the vendors we use is already going through the NSS PCI certification process and it look pretty good - will certainly be of use to us in the future when it comes to selecting security products to maintain our PCI compliance.
Latest security headlines from Network World:
Browser war redux, patch time, iPod news
Microsoft to release four critical patches
'It's the data, stupid' so you'd better vote to protect it
|
Does Verizon's Voyager stack up to the iPhone? |
|
|
5 IT skills that won't boost your salary 
[1,407]
Women 4 times more likely than men to cough up personal info [589]
Japan's 10 funniest tech-related commercials [Videos] [407]
Throwing away a promo CD is "unauthorized distribution"? [1,265]
Adults too quick to dismiss educational video games [682]
Attack of the iPhone clones [Slideshow] [578]
10 things IT needs to know about AJAX [1,258]
This Year's 25 Geekiest 25th Anniversaries [Slideshow] [409]
|
|
IBM Already in Conflict?
It's clearly stated in the QSA contract with the council that QSAs cannot exclusively push their own software/solutions. If there is an IBM director saying IBM will exclusively suggest its own products, then the council needs to review the IBM QSA certification.
Reporting Conflicts?
I can't see companies turning on the very resources they are using to say they are PCI compliant.
The merchant doesn't care who they spend their money with - they just want someone to tell them they're compliant. They are not likely to turn around after being certified as compliant and rat out their certifiers.
They would then run the risk of having further costs to re-certify under different QSAs.
IBM clarification regarding PCI story
Dear Editor,
I'd like to clarify a point in Ellen Messmer's story, "PCI compliance mandate's power raises conflict-of-interest questions" on November 8, that incorrectly stated IBM's approach to recommending non-IBM products during PCI assessments (http://www.networkworld.com/news/2007/110807-pci-compliance.html?page=2).
The Payment Card Industry's Data Security Standard brings tighter security around consumer personal information and also many unique compliance challenges for businesses. Our recent announcement pointed out that IBM is the only known vendor to provide technologies addressing all 12 PCI requirements. However, as a certified PCI Qualified Security Company, our certified Qualified Security Assessors must not and do not recommend any tool or solutions to the deference of any other to help a client resolve any PCI issue.
The ISS Service Delivery Unit is a fully independent business within IBM, and we pride ourselves in our ability to maintain this independence while helping our clients reach their goals.
Both IBM and pre-IBM-acquisition-ISS created successful services businesses by separating our technologies from our consultant work. Services would never have grown to become over half of IBM's annual revenue without a vendor agnostic approach.
-- Howard Glavin, Global Manager, IBM Internet Security Systems PCI Service Delivery Unit (Tampa, FL)