Can A PCI App Assessment Be Phoned In?
Written by Evan SchumanSeptember 18th, 2008
Here’s a frightening question: “Who is going to report ‘questionable’ assessments of vendor applications when neither of the parties to the process (the vendor and the assessor) has any motivation to do so?”
The nightmare scenario plays itself out something like this: Apathetic ISV wants its app certified but nothing more, so the ISV shops for an assessor firm and looks only for the lowest price. There are assessment firms that pitch the lowest price, and they are only too happy to make the assessment as quick, painless and profitable (and useless) as possible. That brings us back to the original question: If both sides want to cut costs, who is going to stop them? Read more.
-Marc
September 18th, 2008 at 12:10 pm
I fully agree that the quality of an assessment can differ immensely between different QSA’s, but my feeling is that this is more a problem with the program itself rather than price shopping. I’ve brought this topic up in other forums and was told that the problem is in the terminology “assessment†vs. “audit.†PCI requires assessments and these are simply the QSA’s opinion with some write-up as to why they feel each area of interest passes or fails. There is no requirement for hands on testing or poking around. With audits, hands on testing and poking around is a requirement. This I’m told is the reason the quality of an assessment can vary so greatly — it’s only an opinion and opinions can vary greatly.
As to “phoning-it-in,†with the remote access technology today, I don’t feel that remote assessments are any more or less value than an on site hands on assessment provided the assessor is viewing the actual application being assessed. Actually an argument could be made that remote assessments are of a higher value because the assessor is not doing his work directly under the guns of the ISV and instead, the assessor is on his home turf.
Now I would classify assessing an application via a streaming web demo as “phoning-it-in†and I don’t think this should be allowed. In this case, I would assess the streaming web demo only and not apply the findings to the application being demonstrated.
September 18th, 2008 at 3:08 pm
We actually wrote a paper about this. Apathetic boards have much more to worry about than PCI, but until the Council takes action against QSAs that are doing this, more of the same will occur.
September 19th, 2008 at 9:39 am
While the lowest cost vender may not be the most prudent, does that mean that the highest is the most qualified or best to use. I am going through this process now and have gotten quotes that range from just under $10,000 to $56,000. Not only do I question the assessors value but the real question that should be asked is PCI actually performing a task that provides any significant value with the exception that you need to do it. According to the “Rules”, if you are a Level 1 Service Provider and you have an application that you are not going to sell then you can perform an external audit. Only when you sell the application do you have to be certified. If your application gets broken into and data gets stolen you are liable, but you are liable anyways.
This may seem to be negative, and I am and have always been for certification, but PCI has become a Governing Body for Profit, a total money making machine that is self governed to ensure greater profits. $250 per hour over 3 weeks to review a 5000 line application is totally absurd. And the $1250 to PCI every year just to list the application.