High profile data breaches like that experienced by retailer TJX Companies Inc., have resulted in greater attention being paid to the Payment Card Industry’s Data Security Standard. Value-added resellers (VARs) are in a good position to assist their clients with data security and PCI DSS compliance. But as you move forward, be careful to keep your auditing and assessment services segregated from product sales to avoid potential trouble.
The PCI DSS creates several business opportunities for VARs as described by SearchSecurityChannel columnist Mike Rothman in his article, PCI compliance opportunities for security resellers:
- Educating customers on PCI DSS requirements
- Pre-QSA audit and remediation efforts
- QSA services
- Product sales to support PCI DSS compliance
While you may have the staff and expertise to deliver all these services, plan carefully before you do so. Rothman goes on to say:
One more thing to keep in mind is that there is some of the fox guarding the henhouse going on here, since your organization would be in a good position to help the customer become compliant after the assessment. There’s an independence clause in the PCI documentation as to what needs to be disclosed relative to customers you have assessed and whom also use your products or managed services. Since this is an ethically murky area, make sure you are on the right side when bidding work on the heels of a poor PCI assessment.
Indeed, according to a SearchSecurity.com Q&A with Burton Group analyst Diana Kelley, companies are being pitched products by the qualified security assessors (QSAs) who are conducting audits:
There are some assessors who are actually trying to pitch at the same time they’re in the assessment process. They will go in and remediate for you or they will pass you if you purchase a specific product from them because that will meet PCI. That’s a big red flag if that happens to your organization.
Kelley advises companies to report such behavior to the PCI Security Standards Council. While it may be a natural for your company to follow an audit with a product recommendation and sale, consider how you go about doing so – and whether it’s worth doing at all. SearchSecurityChannel expert John Kindervag offers his advice on how to establish “auditor independence” as mandated by the PCI Validation Requirements for Qualified Security Assessors:
… it is generally accepted that policies be put into place that mandate a separation of duties between QSA auditors and QSAs, or other individuals within a QSA certified company who provide remediation support.
If you have concerns about staying out of the PCI dog house, submit your questions to John via our Ask the Expert feature on SearchSecurityChannel. John can answer any specific questions you have as you go about establishing and offering your PCI compliance services.