As the card companies press for greater merchant compliance with the Payment Card Industry data security standard, some industry watchers are warning of a potential conflict of interest posed by companies that conduct audits and also offer to correct deficiencies.
Though the PCI standard has been in place since 2005, payments systems at many merchants, especially smaller ones, still do not comply with its requirements.
The PCI Security Standards Council, a trade group formed in September of last year to promote the use of the format, maintains a list of qualified security assessors authorized to audit merchants' card systems. The group has no formal policy barring these assessors from also helping merchants update their systems, and some people in the PCI compliance market say this could present a problem.
"There's nothing official within the guidance from the PCI Security Council that draws a conflict of interest separation of duties distinction," said Chris Noell, the chief executive of TruComply, a PCI consulting company in Austin that is not a qualified security assessor. "But certainly as a matter of general good practice, the person who does the audit should be someone different than who is actually applying the fix."
Avivah Litan, a vice president and research director at Gartner Inc., a market research company in Stamford, Conn., said this practice would lead to assessors certifying their own work. While it may seem convenient to use a QSA for both PCI audits and remediation work, she said that "doing so poses a large risk to businesses because the assessors could broaden the scope of what's assessed so they can sell more services."
In a report published this week, Ms. Litan wrote that "any potential fines from the payment card industry are dwarfed by the real costs of dealing with any exposure of cardholder data — having tunnel vision on PCI compliance (vs. focusing on protecting cardholder data) will inevitably result in higher costs in the long run," she wrote in the report.
In the interview, Ms. Litan said: "If you look back at when the Enron and WorldCom scandals broke out, the regulators came up with rules that you have to have a Chinese wall between the auditors and consultants and services. The PCI council hasn't learned anything from that."
However, Bob Russo, the general manager of the PCI Securities Standards Council, said his group has not "received or heard any complaints from any of the people out there being assessed that they feel there is a conflict," though he said he has heard "the rumblings from analysts" about the potential for conflict of interest.
Not only is there no rule against assessors conducting remediation work for a merchant, there is no rule requiring that a company hire anyone to correct any PCI deficiencies, Mr. Russo said. Many of the largest merchants have their own technology departments, and "in many cases they choose to remediate the issues themselves and then have the assessor come back" and reassess their systems, he said.
Many companies want to use a single company for audits and remediation, Mr. Russo said. "A one-stop shop is a lot easier than going out to three or four different companies and paying what we think would probably be more money," he said.
He noted that assessors offering mitigation services to merchants must provide a range of services to choose from. "We think there's a pretty good arm's-length relationship between the QSAs and the merchants — that the merchants have the option," he said.
The PCI standard defines how merchants may use and store payment card account information, and is designed to limit the amount and type of information that would be obtained in a data security breach.
Last month Visa U.S.A. imposed a July 31 deadline on its merchant acquirers to summarize their small merchants' plans for complying with the PCI standards. Visa does not deal directly with merchants, but the intent of this deadline was to prompt acquirers to be more aggressive about ensuring that their merchant clients follow the PCI requirements, especially small merchants.
The San Francisco card company has said that small businesses represent less than 5% of potentially exposed accounts but have been the source of 80% of identified data security compromises since Jan. 1, 2005.
A MasterCard Inc. spokesperson wrote in an e-mail that merchants signing any service contract should use "simple common sense to carefully examine all your options and find the provider or providers and solutions that best suit your needs."
Mark Lippman, a senior partner with the Arsenal Security Group Inc., a QSA in McLean, Va., said his company provides both PCI auditing and remediation. Though Arsenal has never provided both services to the same client, he said that in most cases he would have no problem doing so, because the two jobs require similar knowledge.
The potential for a conflict of interest is reduced because any problems that occur on the client side would ultimately reflect poorly on the assessor, Mr. Lippman said.
"Ultimately it's the credibility of the firm, because if they're letting anything slide through, and there's a breach or an issue down the road, they're going to be liable for it and potentially lose their QSA certification," he said. "I don't think there's any potential upside for not doing it the correct way."
Accuvant Inc., a Denver QSA, has conducted both audits and mitigation work for a small number of clients, said Evan Tegethoff, its director of compliance services. He said some rules for QSAs apply to companies that offer both types of services.
"When you sign up to be a QSA, you can be in breach of your contract if you're found to be pushing any service or product specifically for PCI compliance," Mr. Tegethoff said. "That's understood to be a no-no." And assessors that also help merchants correct their systems must note that fact in their audit reports.
"We educate them on what the potential conflicts are and we leave the decision to" the merchants, Mr. Tegethoff said. "We are their trusted adviser. We turn down work that isn't appropriate if our clients don't need it."
