Can A PCI App Assessment Be Phoned In?

Written by Evan Schuman
September 18th, 2008

Here’s a frightening question: “Who is going to report ‘questionable’ assessments of vendor applications when neither of the parties to the process (the vendor and the assessor) has any motivation to do so?”

The nightmare scenario plays itself out something like this: Apathetic ISV wants its app certified but nothing more, so the ISV shops for an assessor firm and looks only for the lowest price. There are assessment firms that pitch the lowest price, and they are only too happy to make the assessment as quick, painless and profitable (and useless) as possible. That brings us back to the original question: If both sides want to cut costs, who is going to stop them? Read more.


3 Comments | Read Can A PCI App Assessment Be Phoned In?

  1. Steve Sommers Says:

    I fully agree that the quality of an assessment can differ immensely between different QSA’s, but my feeling is that this is more a problem with the program itself rather than price shopping. I’ve brought this topic up in other forums and was told that the problem is in the terminology “assessment” vs. “audit.” PCI requires assessments and these are simply the QSA’s opinion with some write-up as to why they feel each area of interest passes or fails. There is no requirement for hands on testing or poking around. With audits, hands on testing and poking around is a requirement. This I’m told is the reason the quality of an assessment can vary so greatly — it’s only an opinion and opinions can vary greatly.

    As to “phoning-it-in,” with the remote access technology today, I don’t feel that remote assessments are any more or less value than an on site hands on assessment provided the assessor is viewing the actual application being assessed. Actually an argument could be made that remote assessments are of a higher value because the assessor is not doing his work directly under the guns of the ISV and instead, the assessor is on his home turf.

    Now I would classify assessing an application via a streaming web demo as “phoning-it-in” and I don’t think this should be allowed. In this case, I would assess the streaming web demo only and not apply the findings to the application being demonstrated.

  2. Branden Williams Says:

    We actually wrote a paper about this. Apathetic boards have much more to worry about than PCI, but until the Council takes action against QSAs that are doing this, more of the same will occur.

  3. Howard Falcon Says:

    While the lowest cost vender may not be the most prudent, does that mean that the highest is the most qualified or best to use. I am going through this process now and have gotten quotes that range from just under $10,000 to $56,000. Not only do I question the assessors value but the real question that should be asked is PCI actually performing a task that provides any significant value with the exception that you need to do it. According to the “Rules”, if you are a Level 1 Service Provider and you have an application that you are not going to sell then you can perform an external audit. Only when you sell the application do you have to be certified. If your application gets broken into and data gets stolen you are liable, but you are liable anyways.

    This may seem to be negative, and I am and have always been for certification, but PCI has become a Governing Body for Profit, a total money making machine that is self governed to ensure greater profits. $250 per hour over 3 weeks to review a 5000 line application is totally absurd. And the $1250 to PCI every year just to list the application.


StorefrontBacktalk delivers the latest retail technology news & analysis. Join more than 60,000 retail IT leaders who subscribe to our free weekly email. Sign up today!

Most Recent Comments

Why Did Gonzales Hackers Like European Cards So Much Better?

I am still unclear about the core point here-- why higher value of European cards. Supply and demand, yes, makes sense. But the fact that the cards were chip and pin (EMV) should make them less valuable because that demonstrably reduces the ability to use them fraudulently. Did the author mean that the chip and pin cards could be used in a country where EMV is not implemented--the US--and this mis-match make it easier to us them since the issuing banks may not have as robust anti-fraud controls as non-EMV banks because they assumed EMV would do the fraud prevention for them Read more...
Two possible reasons that I can think of and have seen in the past - 1) Cards issued by European banks when used online cross border don't usually support AVS checks. So, when a European card is used with a billing address that's in the US, an ecom merchant wouldn't necessarily know that the shipping zip code doesn't match the billing code. 2) Also, in offline chip countries the card determines whether or not a transaction is approved, not the issuer. In my experience, European issuers haven't developed the same checks on authorization requests as US issuers. So, these cards might be more valuable because they are more likely to get approved. Read more...
A smart card slot in terminals doesn't mean there is a reader or that the reader is activated. Then, activated reader or not, the U.S. processors don't have apps certified or ready to load into those terminals to accept and process smart card transactions just yet. Don't get your card(t) before the terminal (horse). Read more...
The marketplace does speak. More fraud capacity translates to higher value for the stolen data. Because nearly 100% of all US transactions are authorized online in real time, we have less fraud regardless of whether the card is Magstripe only or chip and PIn. Hence, $10 prices for US cards vs $25 for the European counterparts. Read more...
@David True. The European cards have both an EMV chip AND a mag stripe. Europeans may generally use the chip for their transactions, but the insecure stripe remains vulnerable to skimming, whether it be from a false front on an ATM or a dishonest waiter with a handheld skimmer. If their stripe is skimmed, the track data can still be cloned and used fraudulently in the United States. If European banks only detect fraud from 9-5 GMT, that might explain why American criminals prefer them over American bank issued cards, who have fraud detection in place 24x7. Read more...

Our apologies. Due to legal and security copyright issues, we can't facilitate the printing of Premium Content. If you absolutely need a hard copy, please contact customer service.