PCI Council revokes company's QSA status

Share this article:
Merchants that use Scottsdale, Ariz.-based security services provider Chief Security Officers (CSO) to validate their adherence with the Payment Card Industry Data Security Standard (PCI DSS) will have to find a new assessor.

The PCI Security Standards Council, the group responsible for managing payment security, last week revoked CSO's status as a Qualified Security Assessor (QSA) and Payment Application Qualified Security Assessor (PA-QSA). CSO was removed from the Council's lists of approved service providers due to its “failure to satisfy the high standard set forth for QSAs and PA-QSAs,” the PCI Council said in a statement released last week.

The PCI Council has not revealed why exactly CSO's credentials were revoked. CSO, meanwhile, did not respond to several interview requests made by SCMagazineUS.com. 

“I can't comment on this situation, but suffice to say, the [quality assurance program] is working,” Bob Russo, general manager of the PCI Council, told SCMagazineUS.com on Tuesday.

The Council's quality assurance program, implemented in 2008, requires each QSA to undergo a “rigorous” yearly or bi-yearly assessment designed to ensure it is providing merchants with quality, ethical validation services, Russo said. As part of this process, QSAs must submit redacted compliance reports to the Council for review.  

“We look at the way they do the report, the evidence they collect and myriad other things to ensure they are not rubber-stamping them,” Russo said.

In the past, a number of firms have voluntarily left the QSA program, Russo added. In addition, the Council has previously placed several companies on remediation for violating QSA requirements. 

The revocation of a QSA is a serious action, which shows that the Council is taking the review of QSAs seriously, said Richard Mackey, vice president of consulting at SystemExperts Corp., a Sudbury, Mass.-based QSA company.

“I have not heard of other QSAs being revoked,” he told SCMagazineUS.com in an email. “I would assume that the QSA in question must have been irresponsible in the assessments it had done and refused to comply with requested changes to its practices.”

The revocation could ultimately be expensive and time-consuming for merchants that are currently being assessed or waiting for validation done by CSO, Mackey said. In addition, the revocation puts into question past validations of environments and products conducted by the company.

“If the work done was truly insufficient for the PCI Council, the product vendors, merchants and service providers will need to address their customers' concerns that will inevitably come following this announcement,” Mackey said.

Share this article:
You must be a registered member of SC Magazine to post a comment.

Sign up to our newsletters

TOP COMMENTS

More in News

Information sharing requires breaking down barriers, White House cyber guru says

Information sharing requires breaking down barriers, White House ...

The White House has advanced an agenda to promote and facilitate information sharing on security threats and vulnerabilities.

Worm variant of Android ransomware, Koler, spreads via SMS

Worm variant of Android ransomware, Koler, spreads via ...

Upon infection, the Koler variant will send an SMS message to all contacts in the device's address book.

Patch for Windows flaw can be bypassed, prompts temporary fix from Microsoft

Patch for Windows flaw can be bypassed, prompts ...

The Windows zero-day received a patch last week, but the fix can still be bypassed by crafty attackers.