PCI compliance mandate's power raises conflict-of-interest questions

Businesses accepting credit cards have to assure their networks are secured according to the Payment Card Industry Data Security Standard, and to achieve that, they often make security investments based on the advice of the organization setting the standard and its 60 or so qualified security assessors empowered to judge whether a business is PCI compliant or not.

The situation has given the PCI Security Standards Council — which requires its membership be allowed to read or comment on any of its proposed standards — great power to alter the direction of network security. Moreover, QSAs typically make recommendations about which security products and services to buy, and therefore have a new power-broker role.

Businesses are at liberty to hire any QSA they wish to go through what’s becoming an annual PCI audit process, but questions are starting to be raised, even by the council itself, about how achieving PCI compliance works. One thing is clear—if you don’t achieve compliance, you may not be allowed to process credit cards.

Achieving compliance often requires the business being audited to make changes, including purchasing new products, to meet the council’s 12-part security rules, and the QSA is there to tell them what to do. “When a company becomes a QSA, they sign a document with us that they are not allowed to go in and say ‘the only way to fix this is with a product I sell,’” says Bob Russo (see above), general manager of the Wakefield, Mass.-based PCI Security Standards Council, formed two years ago by the credit card associations including Visa and MasterCard. Its fine for QSAs to recommend their own products to achieve PCI compliance, but “You can’t say, ‘you need my product in order to be compliant,’” he says.

The council’s PCI-compliance program includes a feedback form that merchants are supposed to fill out that would let them divulge what transpired with a QSA, but Russo acknowledges these forms aren’t always making it to the council. The council is considering hiring a quality-assurance specialist to keep an eye on the QSAs. “We’re interviewing now for a quality-assurance person for this,” he says. One thing the specialist will be doing is talking to merchants to find out if they were coerced into buying products. 

The new quality-assurance specialist position is especially important because the PCI-compliance program, mandated by banks and the card associations, is expanding: The council just announced it intends to create a new standard for payment-application security that will be published early next year. That standard will lead to QSAs being certified to evaluate applications. The program probably will reflect a program Visa has in place today.

Several of the QSAs, including IBM and Symantec, have plenty of their own products to sell. The PCI-compliance mandate is now such a dominant force, IBM has put together a set of professional services aimed at preparing businesses for the PCI audit, which IBM could also do. “This is professional services combined with products and managed services,” says Kris Lovejoy, director of governance and risk management strategy for IBM, about the company's soup-to-nuts PCI program offering assessment, design, deployment, management and education. IBM would sell its own products to ensure PCI compliance, and was not likely to recommend non-IBM products unless there was a gap that IBM products couldn’t fill, she says.