It has become quite apparent that the current PCI auditing system is broken.
Not only have the scope and complexities of the PCI Data Security Standard made maintaining proper standards for security and compliance virtually inaccessible for the average merchant, there is potentially a much deeper problem with the system as well.
Think massive oil spills and Minerals Management Service (MMS).
OK, thankfully our payment industry security community hasn't shown any signs of corruption like the MMS, but there is a lesson to be learned here that has recurred many times throughout history.
Self-regulation and self-auditing have been historically demonstrated as ineffective. The relationship between the auditor and the audited must be independent.
Interestingly, this is not the case in the payment card security industry today. Many qualified security assessors (QSAs) provide security products and services to merchants, and there are too many situations where that same QSA is relied on to audit these services.
Clearly, this has the potential to become a classic case of the fox guarding the hen house.
Granted, there are some controls established by the PCI Security Standards Council to prevent conflicts of interest. The PCI Council performs some quality assurance of QSAs and their audits, but is this enough protection for the merchant?
When large revenue numbers are in question, has any self-regulated body consistently deferred to their sense of ethics over profit? If history has taught us anything, the answer is a resounding "no." This is exactly the reason why corporate finances are independently audited and countless other industries are audited completely independently.
Now, as far as I can Google search, there are very few obvious signs of conflict of interest currently occurring.
It is mostly raised eyebrows at this point. But if a salesperson of a QSA can also make money by selling his/her own security products and services, which recommended product or service is likely to get priority status?
If a client spends significant amounts of money with a QSA/services vendor, when these products and services are audited, will there be any bias? The answer is a resounding "yes."
We've seen plenty of examples of this scenario unfolding in the past and this actually is a larger problem. The fact is, cases of corruption will seep into the PCI process, if they haven't already.
Most QSAs are honest, trustworthy, and do conduct unbiased and independent audits. However, with the PCI security industry booming and generating big revenue, the security stakes get increasingly higher.After all, cybercriminals are a motivated and proactive group. They are likely to continue taking advantage of the industry's lack of rigor and gaps in protection and standards.
I believe our industry needs to mature, learn from history, and do things the right way. If not, our credit card and personal data are at risk of becoming even less secure by a problem that can easily be exacerbated when the PCI security and compliance service deployments and audits are executed by the same entity.
Without question, QSAs can become much more efficient if they work with a third party that implements many of the security controls necessary for compliance and makes all of the compliance evidence easily accessible to the merchant.
At the end of the day, this approach is most beneficial to all parties involved. It results in more security, reduced risk and protection of your most valuable asset, your customer.