Channel Marker

Jul 11 2007   10:15AM GMT

Segregate your PCI offerings — or else



Posted by: Brein Matturro
Tags:
Channel
Network and application security

High profile data breaches like that experienced by retailer TJX Companies Inc., have resulted in greater attention being paid to the Payment Card Industry’s Data Security Standard. Value-added resellers (VARs) are in a good position to assist their clients with data security and PCI DSS compliance. But as you move forward, be careful to keep your auditing and assessment services segregated from product sales to avoid potential trouble.

The PCI DSS creates several business opportunities for VARs as described by SearchSecurityChannel columnist Mike Rothman in his article, PCI compliance opportunities for security resellers:

  •  Educating customers on PCI DSS requirements
  • Pre-QSA audit and remediation efforts
  •  QSA services
  • Product sales to support PCI DSS compliance

While you may have the staff and expertise to deliver all these services, plan carefully before you do so. Rothman goes on to say: 

One more thing to keep in mind is that there is some of the fox guarding the henhouse going on here, since your organization would be in a good position to help the customer become compliant after the assessment. There’s an independence clause in the PCI documentation as to what needs to be disclosed relative to customers you have assessed and whom also use your products or managed services. Since this is an ethically murky area, make sure you are on the right side when bidding work on the heels of a poor PCI assessment. 

Indeed, according to a SearchSecurity.com Q&A with Burton Group analyst Diana Kelley, companies are being pitched products by the qualified security assessors (QSAs) who are conducting audits: 

There are some assessors who are actually trying to pitch at the same time they’re in the assessment process. They will go in and remediate for you or they will pass you if you purchase a specific product from them because that will meet PCI. That’s a big red flag if that happens to your organization. 

Kelley advises companies to report such behavior to the PCI Security Standards Council.  While it may be a natural for your company to follow an audit with a product recommendation and sale, consider how you go about doing so – and whether it’s worth doing at all. SearchSecurityChannel expert John Kindervag offers his advice on how to establish “auditor independence” as mandated by the PCI Validation Requirements for Qualified Security Assessors:

… it is generally accepted that policies be put into place that mandate a separation of duties between QSA auditors and QSAs, or other individuals within a QSA certified company who provide remediation support.

If you have concerns about staying out of the PCI dog house, submit your questions to John via our Ask the Expert feature on SearchSecurityChannel. John can answer any specific questions you have as you go about establishing and offering your PCI compliance services.

 Comment on this Post

 
There was an error processing your information. Please try again later.
Thanks. We'll let you know when a new response is added.
Send me notifications when other members comment.

REGISTER or login:

Forgot Password?
By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy

Forgot Password

No problem! Submit your e-mail address below. We'll send you an e-mail containing your password.

Your password has been sent to: