Tuesday, August 14, 2007

Is Your PCI Auditor a Scammer?

So, we know from the Gartner folks that sometimes the same company can be used for PCI assessments and then for remediation services or prescribed products. Specifically, they say: "The assessor - which is also a vendor of security services - tells you you need a scanning service for all your nodes and servers, since they’re all somehow connected to the servers holding your cardholder data. Oh, and by the way, they can sell you the scanning service. [...] Well, the card companies may not learned anything from the Enron and accounting/audit firm debacles of the past few years, but we have. That’s why Gartner strongly recommends that you hire an assessor that doesn’t try to sell you security software or services."

OK, this makes sense, even though I believe that one can handle this gracefully and ethically. This is a conflict of interest to carefully resolve and not a scam.

However, I recently came across the opposite situation, which smacks of scam so strongly that you will need to hold your nose for a loooong time :-) Namely, a PCI assessor is saying the following: "Pay my [possibly increased ...] assessment fee and I will make the findings look  like you already have all the technologies needed to comply and you will save tons of money on all this 'unneeded' security gear! If auditors come, my assessment results documentation will look so good, that they will not fine you a dime."

Just how outrageous is that? Just as people grew cynical of compliance spending for security, somebody came up with an idea to spend on compliance and decrease security... Kewl stuff :-)

Anybody knows of any way to report the fucker so that PCI Security Standards Council will revoke his license and ram a big one up his ...?

Technorati tags: , ,

6 comments:

yoshi said...

Um ok. You write that entry as if this is a new thing? Scams have existed in the Audit industry since auditors first appeared on the scene.

If its a smaller organization I would terminate the contract right there and then. I would also put out the word to the local auditing organizations. Word will spread fast and this guy will have a tough time finding new work.

If he is part of a large organization then a meeting with the leaders of that organization is in order (i've called the practice leads on more than one occasion due to sketchy consultants).

Notifying the "PCI Committee" won't help. How do you know if someone is certified to begin with? Getting validation of credentials has always been sketchy.

Anton Chuvakin said...

Thanks for the tips ....

Anonymous said...

Apparently the Gartner folks are not to keen on blogs linking to their "secret" blogs - you know just fyi ;-)

Anton Chuvakin said...

Hmmm, just have one silly question: how on Earth is one supposed to know that it was a secret blog???

Was there a "TS" label I missed?
Was it a special secret://www.gartner.com url?
Or what???

Anonymous said...

If you're up for reporting them refer to https://www.pcisecuritystandards.org/tech/supporting_documents.htm

See ASV Feedback Form - Client
and QSA Feedback Form - Client

And first see if they are listed on the ASV or QSA pages:
https://www.pcisecuritystandards.org/resources/qualified_security_assessors.htm
https://www.pcisecuritystandards.org/resources/approved_scanning_vendors.htm

Anton Chuvakin said...

Thanks a lot for the tip! We did manage to resolve it peacefully...

Dr Anton Chuvakin