How do you choose a PCI assessor?

Gartner's clients often ask what we think of various "qualified data security companies" that the PCI Security Standards Council says are okay to work with on PCI assessments. Well, there are some important areas where we part company with the council. One of the most important is that the council sanctions the use of an assessor that is also trying to sell you security services. This is completely at odds with established best practices in audit and compliance. Is it difficult to imagine a scenario like this? The assessor - which is also a vendor of security services - tells you you need a scanning service for all your nodes and servers, since they’re all somehow connected to the servers holding your cardholder data. Oh, and by the way, they can sell you the scanning service. And once they’ve finished scanning all the servers, you’ll also need intrusion prevention service (IPS) for all of them - which they just happen to sell, too - and that once you’ve done all that, you’ll finally be "PCI- compliant."

Well, the card companies may not learned anything from the Enron and accounting/audit firm debacles of the past few years, but we have. That’s why Gartner strongly recommends that you hire an assessor that doesn’t try to sell you security software or services. If, for whatever reason, you really want to use an assessor that does both - assessments and sales - make sure it has the proverbial "Great Wall of China" between the two business divisions.

Submit a Comment | Permalink

Do companies who do not become PCI compliant by Sept 30, 2007 face losing good will, due to public disclosure of PCI audit results, in addition to the fines levied?

The only time credit card companies publish names of companies who are PCI compliant (or not) is when they are payment processors, service providers, payment application software or payment terminal providers – all of whom serve a wide retail/payments market. And yes, these types of firms who are not in PCI compliance most certainly lose good will and probably also lose business since by default, they will also make the companies who rely on their services or software not compliant with PCI.

The credit card companies and security assessors do not publish names of retailers who are not PCI compliant so the issue of losing good will would not apply to this segment unless of course there was a publicized data security breach. In this latter case, we have not seen strong evidence that breached retailers suffer a loss of good will among consumers; but we are currently testing that theory in a consumer survey that we now have in the field. We should have results back in a few weeks.