Tuesday, August 14, 2007

Is Your PCI Auditor a Scammer?

So, we know from the Gartner folks that sometimes the same company can be used for PCI assessments and then for remediation services or prescribed products. Specifically, they say: "The assessor - which is also a vendor of security services - tells you you need a scanning service for all your nodes and servers, since they’re all somehow connected to the servers holding your cardholder data. Oh, and by the way, they can sell you the scanning service. [...] Well, the card companies may not learned anything from the Enron and accounting/audit firm debacles of the past few years, but we have. That’s why Gartner strongly recommends that you hire an assessor that doesn’t try to sell you security software or services."

OK, this makes sense, even though I believe that one can handle this gracefully and ethically. This is a conflict of interest to carefully resolve and not a scam.

However, I recently came across the opposite situation, which smacks of scam so strongly that you will need to hold your nose for a loooong time :-) Namely, a PCI assessor is saying the following: "Pay my [possibly increased ...] assessment fee and I will make the findings look  like you already have all the technologies needed to comply and you will save tons of money on all this 'unneeded' security gear! If auditors come, my assessment results documentation will look so good, that they will not fine you a dime."

Just how outrageous is that? Just as people grew cynical of compliance spending for security, somebody came up with an idea to spend on compliance and decrease security... Kewl stuff :-)

Anybody knows of any way to report the fucker so that PCI Security Standards Council will revoke his license and ram a big one up his ...?

Technorati tags: , ,

Dr Anton Chuvakin