PCI Council revokes company's QSA status

Share this article:
Merchants that use Scottsdale, Ariz.-based security services provider Chief Security Officers (CSO) to validate their adherence with the Payment Card Industry Data Security Standard (PCI DSS) will have to find a new assessor.

The PCI Security Standards Council, the group responsible for managing payment security, last week revoked CSO's status as a Qualified Security Assessor (QSA) and Payment Application Qualified Security Assessor (PA-QSA). CSO was removed from the Council's lists of approved service providers due to its “failure to satisfy the high standard set forth for QSAs and PA-QSAs,” the PCI Council said in a statement released last week.

The PCI Council has not revealed why exactly CSO's credentials were revoked. CSO, meanwhile, did not respond to several interview requests made by SCMagazineUS.com. 

“I can't comment on this situation, but suffice to say, the [quality assurance program] is working,” Bob Russo, general manager of the PCI Council, told SCMagazineUS.com on Tuesday.

The Council's quality assurance program, implemented in 2008, requires each QSA to undergo a “rigorous” yearly or bi-yearly assessment designed to ensure it is providing merchants with quality, ethical validation services, Russo said. As part of this process, QSAs must submit redacted compliance reports to the Council for review.  

“We look at the way they do the report, the evidence they collect and myriad other things to ensure they are not rubber-stamping them,” Russo said.

In the past, a number of firms have voluntarily left the QSA program, Russo added. In addition, the Council has previously placed several companies on remediation for violating QSA requirements. 

The revocation of a QSA is a serious action, which shows that the Council is taking the review of QSAs seriously, said Richard Mackey, vice president of consulting at SystemExperts Corp., a Sudbury, Mass.-based QSA company.

“I have not heard of other QSAs being revoked,” he told SCMagazineUS.com in an email. “I would assume that the QSA in question must have been irresponsible in the assessments it had done and refused to comply with requested changes to its practices.”

The revocation could ultimately be expensive and time-consuming for merchants that are currently being assessed or waiting for validation done by CSO, Mackey said. In addition, the revocation puts into question past validations of environments and products conducted by the company.

“If the work done was truly insufficient for the PCI Council, the product vendors, merchants and service providers will need to address their customers' concerns that will inevitably come following this announcement,” Mackey said.

Share this article:
You must be a registered member of SC Magazine to post a comment.

Sign up to our newsletters

More in News

CryptoWall surpasses CryptoLocker in infection rates

CryptoWall surpasses CryptoLocker in infection rates

A threat analysis from Dell SecureWorks CTU says that CryptoWall has picked up where its famous sibling left off.

Professor says Google search, not hacking, yielded medical info

Professor says Google search, not hacking, yielded medical ...

A professor of ethical hacking at City College San Francisco came forward to clarify that he did not demonstrate hacking a medical center's server in a class.

Syrian Malware Team makes use of enhanced BlackWorm RAT

Syrian Malware Team makes use of enhanced BlackWorm ...

FireEye analyzed the hacking group's use of the malware, dubbed the "Dark Edition" of BlackWorm.