The PCI Security Standards Council, the group responsible for managing payment security, last week revoked CSO's status as a Qualified Security Assessor (QSA) and Payment Application Qualified Security Assessor (PA-QSA). CSO was removed from the Council's lists of approved service providers due to its “failure to satisfy the high standard set forth for QSAs and PA-QSAs,” the PCI Council said in a statement released last week.
The PCI Council has not revealed why exactly CSO's credentials were revoked. CSO, meanwhile, did not respond to several interview requests made by SCMagazineUS.com.
“I can't comment on this situation, but suffice to say, the [quality assurance program] is working,” Bob Russo, general manager of the PCI Council, told SCMagazineUS.com on Tuesday.
The Council's quality assurance program, implemented in 2008, requires each QSA to undergo a “rigorous” yearly or bi-yearly assessment designed to ensure it is providing merchants with quality, ethical validation services, Russo said. As part of this process, QSAs must submit redacted compliance reports to the Council for review.
“We look at the way they do the report, the evidence they collect and myriad other things to ensure they are not rubber-stamping them,” Russo said.
In the past, a number of firms have voluntarily left the QSA program, Russo added. In addition, the Council has previously placed several companies on remediation for violating QSA requirements.
The revocation of a QSA is a serious action, which shows that the Council is taking the review of QSAs seriously, said Richard Mackey, vice president of consulting at SystemExperts Corp., a Sudbury, Mass.-based QSA company.
“I have not heard of other QSAs being revoked,” he told SCMagazineUS.com in an email. “I would assume that the QSA in question must have been irresponsible in the assessments it had done and refused to comply with requested changes to its practices.”
The revocation could ultimately be expensive and time-consuming for merchants that are currently being assessed or waiting for validation done by CSO, Mackey said. In addition, the revocation puts into question past validations of environments and products conducted by the company.
“If the work done was truly insufficient for the PCI Council, the product vendors, merchants and service providers will need to address their customers' concerns that will inevitably come following this announcement,” Mackey said.