So, we know from the Gartner folks that sometimes the same company can be used for PCI assessments and then for remediation services or prescribed products. Specifically, they say: "The assessor - which is also a vendor of security services - tells you you need a scanning service for all your nodes and servers, since they’re all somehow connected to the servers holding your cardholder data. Oh, and by the way, they can sell you the scanning service. [...] Well, the card companies may not learned anything from the Enron and accounting/audit firm debacles of the past few years, but we have. That’s why Gartner strongly recommends that you hire an assessor that doesn’t try to sell you security software or services."
OK, this makes sense, even though I believe that one can handle this gracefully and ethically. This is a conflict of interest to carefully resolve and not a scam.
However, I recently came across the opposite situation, which smacks of scam so strongly that you will need to hold your nose for a loooong time :-) Namely, a PCI assessor is saying the following: "Pay my [possibly increased ...] assessment fee and I will make the findings look like you already have all the technologies needed to comply and you will save tons of money on all this 'unneeded' security gear! If auditors come, my assessment results documentation will look so good, that they will not fine you a dime."
Just how outrageous is that? Just as people grew cynical of compliance spending for security, somebody came up with an idea to spend on compliance and decrease security... Kewl stuff :-)
Anybody knows of any way to report the fucker so that PCI Security Standards Council will revoke his license and ram a big one up his ...?
6 comments:
Um ok. You write that entry as if this is a new thing? Scams have existed in the Audit industry since auditors first appeared on the scene.
If its a smaller organization I would terminate the contract right there and then. I would also put out the word to the local auditing organizations. Word will spread fast and this guy will have a tough time finding new work.
If he is part of a large organization then a meeting with the leaders of that organization is in order (i've called the practice leads on more than one occasion due to sketchy consultants).
Notifying the "PCI Committee" won't help. How do you know if someone is certified to begin with? Getting validation of credentials has always been sketchy.
Thanks for the tips ....
Apparently the Gartner folks are not to keen on blogs linking to their "secret" blogs - you know just fyi ;-)
Hmmm, just have one silly question: how on Earth is one supposed to know that it was a secret blog???
Was there a "TS" label I missed?
Was it a special secret://www.gartner.com url?
Or what???
If you're up for reporting them refer to https://www.pcisecuritystandards.org/tech/supporting_documents.htm
See ASV Feedback Form - Client
and QSA Feedback Form - Client
And first see if they are listed on the ASV or QSA pages:
https://www.pcisecuritystandards.org/resources/qualified_security_assessors.htm
https://www.pcisecuritystandards.org/resources/approved_scanning_vendors.htm
Thanks a lot for the tip! We did manage to resolve it peacefully...
Post a Comment